Cross-Site Request Forgery in InstaWP Connect Plugin for WordPress
CVE-2024-13913

8.8HIGH

Key Information:

Vendor
InstaWP
Status
InstaWP Connect – 1-click WP Staging & Migration
Vendor
CVE Published:
14 March 2025

Summary

The InstaWP Connect plugin, used for 1-click WordPress staging and migration, contains a susceptibility to Cross-Site Request Forgery due to inadequate nonce validation in the '/migrate/templates/main.php' file. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server. Exploiting this flaw could allow the execution of any PHP code contained in the files, potentially leading to unauthorized access, sensitive data retrieval, and code execution by exploiting upload functionalities that may permit seemingly 'safe' file types.

Affected Version(s)

InstaWP Connect – 1-click WP Staging & Migration * <= 0.1.0.83

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/instawp-connec...
https://plugins.trac.wordpress.org/browser/instawp-connec...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Bassem Essam
.