Unauthenticated File Upload Vulnerability in InstaWP Connect
CVE-2024-2667
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 2 May 2024
Badges
What is CVE-2024-2667?
The InstaWP Connect plugin for WordPress is susceptible to a vulnerability that allows unauthenticated users to upload arbitrary files. This stems from inadequate file validation within the REST API endpoint located at /wp-json/instawp-connect/v1/config. All versions of the plugin up to and including 0.1.0.22 are affected, enabling potential threats that could compromise the integrity of the hosting environment.
Affected Version(s)
InstaWP Connect – 1-click WP Staging & Migration * <= 0.1.0.22
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
88% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability published
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability Reserved