WordPress Plugin Vulnerabilities

InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.39 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation

Description

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.

Affects Plugins

Plugin icon
instawp-connect
Fixed in 0.1.0.39

References

CVE
CVE-2024-4898
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Truoc Phan
Verified
No
WPVDB ID
67e67322-2698-4893-b4eb-ecd81480bb1f

Timeline

Publicly Published
2024-06-11 (about 2 years ago)
Added
2024-06-11 (about 2 years ago)
Last Updated
2024-06-12 (about 2 years ago)

Other

Published
Title
Published
2024-03-07
Title
affiliate-toolkit – WordPress Affiliate Plugin < 3.5.5 - Missing Authorization via atkp_create_list
Published
2024-10-09
Title
CubeWP – All-in-One Dynamic Content Framework < 1.1.16 - Missing Authorization
Published
2025-05-16
Title
Pinterest Automatic Pin <= 4.19.0 - Missing Authorization
Published
2025-04-01
Title
Astra Security Suite <= 0.2 - Missing Authorization
Published
2025-03-06
Title
School Management System for Wordpress <= 93.0.0 - Missing Authorization to Unauthenticated Arbitrary Post Deletion