InstaWP Connect < 0.1.0.9 – Missing Authorization to Arbitrary Options Update | CVE 2024-22145 | Plugin Vulnerabilities

Description

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_management_settings function in all versions up to, and including, 0.1.0.8. This makes it possible for authenticated attackers, with subscriber access and above, to modify

Affects Plugins

instawp-connect

Fixed in 0.1.0.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6aa4fd08-a1b1-4f61-a9d1-9812071b61c9

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Majed Refaea

Verified

No

WPVDB ID

b62ae5b1-0041-4426-8b61-a7ba61dae530

Timeline

Publicly Published

2024-01-17 (about 2 years ago)

Added

2024-01-18 (about 2 years ago)

Last Updated

2024-01-18 (about 2 years ago)

Other

Published

Title

Published

2025-11-20

Title

Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.6 - Missing Authorization to Authenticated (Subscriber+) Contract Address Update

Published

2026-01-23

Title

UPI QR Code Payment Gateway for WooCommerce < 1.6.1 - Missing Authorization

Published

2024-08-09

Title

WpTravelly < 1.7.8 - Missing Authorization

Published

2023-04-18

Title

Essential Blocks < 4.0.7 - Multiple Functions Missing Authorization Checks

Published

2025-06-19

Title

WP Customer Area <= 8.3.4 - Missing Authorization