InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.84 – Cross-Site Request Forgery to Local File Inclusion | CVE 2024-13913 | Plugin Vulnerabilities

Description

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affects Plugins

instawp-connect

Fixed in 0.1.0.84

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ea6c7b63-00da-4476-a024-97fe99af643d

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bassem Essam

Verified

No

WPVDB ID

f85f81da-eaf2-4bd1-9209-f7292c71c05c

Timeline

Publicly Published

2025-03-13 (about 1 year ago)

Added

2025-03-13 (about 1 year ago)

Last Updated

2025-03-14 (about 1 year ago)

Other

Published

Title

Published

2025-04-09

Title

Nino Social Connect <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2021-02-17

Title

Better Search < 2.5.3 - CSRF Nonce Bypass in Import/Export

Published

2014-12-12

Title

Simple Ip Ban <= 1.2.3 - Multiple CSRF

Published

2023-04-19

Title

Pearl < 1.3.5 - CSRF

Published

2022-11-14

Title

Becustom < 1.0.5.3 - Settings Update via CSRF