WordPress Plugin Vulnerabilities

InstaWP Connect < 0.1.0.9 - Authenticated (Subscriber+) Remote Code Execution

Description

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.1.0.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
instawp-connect
Fixed in 0.1.0.9

References

CVE
CVE-2024-25918
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2a681cef-649f-4342-beb6-914674bbf6d6

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Majed Refaea
Verified
No
WPVDB ID
9db733d7-eabd-4b36-8f2d-3e9a2ebb2cf8

Timeline

Publicly Published
2024-02-14 (about 2 years ago)
Added
2024-02-20 (about 2 years ago)
Last Updated
2024-02-20 (about 2 years ago)

Other

Published
Title
Published
2024-03-11
Title
Mollie Forms < 2.6.4 - Missing Authorization
Published
2026-04-13
Title
Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) < 4.1.9 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure
Published
2025-04-02
Title
Rich Text Editor <= 1.0.1 - Missing Authorization
Published
2026-03-20
Title
My Tickets – Accessible Event Ticketing < 2.1.2 - Missing Authorization
Published
2024-12-02
Title
Filebird < 6.3.4 - Missing Authorization