WordPress Plugin Vulnerabilities

InstaWP Connect < 0.1.0.10 - Missing Authorization to Sensitive Information Dislcosure

Description

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in all versions up to, and including, 0.1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive information.

Affects Plugins

Plugin icon
instawp-connect
Fixed in 0.1.0.10

References

CVE
CVE-2024-23506
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9a184384-9162-4509-957b-d97dd4089856

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Majed Refaea
Verified
No
WPVDB ID
4ba053a1-d55b-452d-919b-a123c121f67a

Timeline

Publicly Published
2024-01-24 (about 2 years ago)
Added
2024-01-26 (about 2 years ago)
Last Updated
2024-01-26 (about 2 years ago)

Other

Published
Title
Published
2026-01-05
Title
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress < 7.6.2 - Missing Authorization to Authenticated (Subscriber+) Information Exposure
Published
2026-02-09
Title
Cliengo – Chatbot < 3.0.5 - Missing Authorization
Published
2025-01-07
Title
1003 Mortgage Application <= 1.87 - Missing Authorization
Published
2024-03-29
Title
Integrate Google Drive < 1.3.9 - Missing Authorization to Unauthenticated Settings Modification and Export
Published
2024-01-10
Title
EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Virtual Event Password Disclosure