WordPress Plugin Vulnerabilities

InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.23 - Unauthenticated Arbitrary File Upload

Description

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files.

Affects Plugins

Plugin icon
instawp-connect
Fixed in 0.1.0.23

References

CVE
CVE-2024-2667
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f6aead8d-c136-4952-ad03-86fe0f144dea

Miscellaneous

Original Researcher
AtaTurk1925
Verified
No
WPVDB ID
9307058d-8926-4d01-a068-43befdac9a7e

Timeline

Publicly Published
2024-04-12 (about 2 years ago)
Added
2024-04-12 (about 2 years ago)
Last Updated
2024-04-12 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
open-flash-chart-core - ofc_upload_image.php Arbitrary File Upload
Published
2024-11-13
Title
B-Banner Slider <= 1.1 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2022-06-02
Title
HTML2WP <= 1.0.0 - Unauthenticated Arbitrary File Upload
Published
2025-04-08
Title
Insert or Embed Articulate Content into WordPress < 4.3000000026 - Editor+ Arbitrary File Upload
Published
2023-10-09
Title
Royal Elementor Addons and Templates 1.4.78 - Unauthenticated Arbitrary File Upload