WordPress Plugin Vulnerabilities

InstaWP Connect < 0.1.0.39 - Unauthenticated Arbitrary File Upload

Description

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
instawp-connect
Fixed in 0.1.0.39

References

CVE
CVE-2024-37228
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cedc575c-ee8f-4c62-bc44-95252a0c8b6f

Miscellaneous

Original Researcher
AtaTurk1925
Verified
No
WPVDB ID
aa5b008d-6540-4ad5-920c-5bd24d979738

Timeline

Publicly Published
2024-06-21 (about 2 years ago)
Added
2024-07-02 (about 1 year ago)
Last Updated
2024-07-02 (about 1 year ago)

Other

Published
Title
Published
2022-09-05
Title
CM Download Manager < 2.8.6 - Admin+ Arbitrary File Upload
Published
2025-08-19
Title
Compress Then Upload < 1.0.5 - Admin+ Arbitrary File Upload
Published
2025-11-04
Title
KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload
Published
2024-04-10
Title
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE < 2.6.9 - Author+ Stored XSS via SVG Upload
Published
2025-07-14
Title
Custom User Registration Fields for WooCommerce <= 2.1.2 - Unauthenticated Arbitrary File Upload