Vulnerabilites related to instawp - instawp_connect
cve-2024-32701
Vulnerability from cvelistv5
Published
2024-06-09 17:19
Modified
2024-08-02 02:20
Severity ?
EPSS score ?
Summary
Missing Authorization vulnerability in InstaWP Team InstaWP Connect.This issue affects InstaWP Connect: from n/a through 0.1.0.24.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InstaWP Team | InstaWP Connect |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T14:11:42.950120Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T14:12:00.916Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:34.492Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-24-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "instawp-connect",
"product": "InstaWP Connect",
"vendor": "InstaWP Team",
"versions": [
{
"changes": [
{
"at": "0.1.0.25",
"status": "unaffected"
}
],
"lessThanOrEqual": "0.1.0.24",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dhabaleshwar Das (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in InstaWP Team InstaWP Connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through 0.1.0.24.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in InstaWP Team InstaWP Connect.This issue affects InstaWP Connect: from n/a through 0.1.0.24."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-09T17:19:20.839Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-24-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 0.1.0.25 or a higher version."
}
],
"value": "Update to 0.1.0.25 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.24 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-32701",
"datePublished": "2024-06-09T17:19:20.839Z",
"dateReserved": "2024-04-17T08:56:01.508Z",
"dateUpdated": "2024-08-02T02:20:34.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-37228
Vulnerability from cvelistv5
Published
2024-06-24 12:35
Modified
2024-08-02 03:50
Severity ?
EPSS score ?
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.38.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InstaWP Team | InstaWP Connect |
Version: n/a < |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "instawp_connect",
"vendor": "instawp",
"versions": [
{
"lessThanOrEqual": "0.1.0.38",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-24T20:07:17.607812Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T20:14:45.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "instawp-connect",
"product": "InstaWP Connect",
"vendor": "InstaWP Team",
"versions": [
{
"changes": [
{
"at": "0.1.0.39",
"status": "unaffected"
}
],
"lessThanOrEqual": "0.1.0.38",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "AtaTurk1925 (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in InstaWP Team InstaWP Connect allows Code Injection.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through 0.1.0.38.\u003c/p\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.38."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T12:35:18.966Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 0.1.0.39 or a higher version."
}
],
"value": "Update to 0.1.0.39 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.38 - Arbitrary File Upload vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37228",
"datePublished": "2024-06-24T12:35:18.966Z",
"dateReserved": "2024-06-04T16:46:21.940Z",
"dateUpdated": "2024-08-02T03:50:55.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-6397
Vulnerability from cvelistv5
Published
2024-07-11 03:33
Modified
2024-08-01 21:41
Severity ?
EPSS score ?
Summary
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instawp | InstaWP Connect – 1-click WP Staging & Migration |
Version: * ≤ 0.1.0.44 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "instawp_connect",
"vendor": "instawp",
"versions": [
{
"lessThanOrEqual": "0.1.0.44",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6397",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-11T14:08:12.900391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T18:03:29.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:41:03.350Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/963f2485-3afa-4e17-8278-b75415af3915?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L28"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L40"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/apis/class-instawp-rest-api.php#L256"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3109305/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3114674/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
"vendor": "instawp",
"versions": [
{
"lessThanOrEqual": "0.1.0.44",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Truoc Phan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The InstaWP Connect \u2013 1-click WP Staging \u0026 Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T03:33:19.573Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/963f2485-3afa-4e17-8278-b75415af3915?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L28"
},
{
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/apis/class-instawp-rest-api.php#L256"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3109305/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3114674/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-10T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration \u003c= 0.1.0.44 - Authentication Bypass to Admin"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6397",
"datePublished": "2024-07-11T03:33:19.573Z",
"dateReserved": "2024-06-27T19:57:23.466Z",
"dateUpdated": "2024-08-01T21:41:03.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23506
Vulnerability from cvelistv5
Published
2024-01-26 23:19
Modified
2024-08-23 19:47
Severity ?
EPSS score ?
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InstaWP Team | InstaWP Connect – 1-click WP Staging & Migration |
Version: n/a < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:24.786Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T19:47:13.011569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T19:47:23.508Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "instawp-connect",
"product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
"vendor": "InstaWP Team",
"versions": [
{
"changes": [
{
"at": "0.1.0.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "0.1.0.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Majed Refaea (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in InstaWP Team InstaWP Connect \u2013 1-click WP Staging \u0026amp; Migration.\u003cp\u003eThis issue affects InstaWP Connect \u2013 1-click WP Staging \u0026amp; Migration: from n/a through 0.1.0.9.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in InstaWP Team InstaWP Connect \u2013 1-click WP Staging \u0026 Migration.This issue affects InstaWP Connect \u2013 1-click WP Staging \u0026 Migration: from n/a through 0.1.0.9.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-26T23:19:52.248Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;0.1.0.10 or a higher version."
}
],
"value": "Update to\u00a00.1.0.10 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress InstaWP Connect Plugin \u003c= 0.1.0.9 is vulnerable to Sensitive Data Exposure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-23506",
"datePublished": "2024-01-26T23:19:52.248Z",
"dateReserved": "2024-01-17T18:18:14.980Z",
"dateUpdated": "2024-08-23T19:47:23.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-4898
Vulnerability from cvelistv5
Published
2024-06-12 11:05
Modified
2024-08-01 20:55
Severity ?
EPSS score ?
Summary
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instawp | InstaWP Connect – 1-click WP Staging & Migration |
Version: * ≤ 0.1.0.38 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T19:28:20.387464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T19:28:25.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
"vendor": "instawp",
"versions": [
{
"lessThanOrEqual": "0.1.0.38",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Truoc Phan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The InstaWP Connect \u2013 1-click WP Staging \u0026 Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T11:05:07.625Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-29T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-06-11T21:44:53.000+00:00",
"value": "Disclosed"
}
],
"title": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration \u003c= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4898",
"datePublished": "2024-06-12T11:05:07.625Z",
"dateReserved": "2024-05-15T07:33:21.328Z",
"dateUpdated": "2024-08-01T20:55:10.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-22145
Vulnerability from cvelistv5
Published
2024-05-17 08:46
Modified
2024-08-01 22:35
Severity ?
EPSS score ?
Summary
Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InstaWP Team | InstaWP Connect |
Version: n/a < |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "instawp_connect",
"vendor": "instawp",
"versions": [
{
"lessThanOrEqual": "0.1.0.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-20T19:49:25.560036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:52:29.504Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "instawp-connect",
"product": "InstaWP Connect",
"vendor": "InstaWP Team",
"versions": [
{
"changes": [
{
"at": "0.1.0.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "0.1.0.8",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Majed Refaea (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through 0.1.0.8.\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-17T08:46:53.282Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 0.1.0.9 or a higher version."
}
],
"value": "Update to 0.1.0.9 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.8 - Arbitrary Option Update to Privilege Escalation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-22145",
"datePublished": "2024-05-17T08:46:53.282Z",
"dateReserved": "2024-01-05T11:18:25.467Z",
"dateUpdated": "2024-08-01T22:35:34.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25918
Vulnerability from cvelistv5
Published
2024-04-03 12:11
Modified
2024-08-27 13:47
Severity ?
EPSS score ?
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.8.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InstaWP Team | InstaWP Connect |
Version: n/a < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:52:06.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "instawp_connect",
"vendor": "instawp",
"versions": [
{
"lessThanOrEqual": "0.1.0.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-03T18:20:34.759427Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T13:47:37.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "instawp-connect",
"product": "InstaWP Connect",
"vendor": "InstaWP Team",
"versions": [
{
"changes": [
{
"at": "0.1.0.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "0.1.0.8",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Majed Refaea (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP Team InstaWP Connect allows Code Injection.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through 0.1.0.8.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.8.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242: Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-03T12:11:07.587Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;0.1.0.9 or a higher version."
}
],
"value": "Update to\u00a00.1.0.9 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.8 - Auth. Remote Code Execution (RCE) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-25918",
"datePublished": "2024-04-03T12:11:07.587Z",
"dateReserved": "2024-02-12T08:35:07.534Z",
"dateUpdated": "2024-08-27T13:47:37.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-3956
Vulnerability from cvelistv5
Published
2023-07-27 06:54
Modified
2025-02-05 19:38
Severity ?
EPSS score ?
Summary
The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instawp | InstaWP Connect – 1-click WP Staging & Migration (beta) |
Version: * ≤ 0.0.9.18 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includes/class-instawp-rest-apis.php#L103"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:40:10.626463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:38:35.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration (beta)",
"vendor": "instawp",
"versions": [
{
"lessThanOrEqual": "0.0.9.18",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lana Codes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the \u0027events_receiver\u0027 function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-27T06:54:14.804Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includes/class-instawp-rest-apis.php#L103"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-07-22T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-07-22T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-07-26T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-3956",
"datePublished": "2023-07-27T06:54:14.804Z",
"dateReserved": "2023-07-26T17:41:07.986Z",
"dateUpdated": "2025-02-05T19:38:35.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2667
Vulnerability from cvelistv5
Published
2024-05-02 16:52
Modified
2024-08-01 19:18
Severity ?
EPSS score ?
Summary
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| instawp | InstaWP Connect – 1-click WP Staging & Migration |
Version: * ≤ 0.1.0.22 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2667",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T16:05:05.290615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T16:05:14.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:18:48.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6aead8d-c136-4952-ad03-86fe0f144dea?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3061039%40instawp-connect\u0026new=3061039%40instawp-connect\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
"vendor": "instawp",
"versions": [
{
"lessThanOrEqual": "0.1.0.22",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nader Abdi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The InstaWP Connect \u2013 1-click WP Staging \u0026 Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-02T16:52:52.798Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6aead8d-c136-4952-ad03-86fe0f144dea?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3061039%40instawp-connect\u0026new=3061039%40instawp-connect\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-12T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2667",
"datePublished": "2024-05-02T16:52:52.798Z",
"dateReserved": "2024-03-19T19:42:24.552Z",
"dateUpdated": "2024-08-01T19:18:48.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23507
Vulnerability from cvelistv5
Published
2024-01-31 11:52
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InstaWP Team | InstaWP Connect – 1-click WP Staging & Migration |
Version: n/a < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "instawp-connect",
"product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
"vendor": "InstaWP Team",
"versions": [
{
"changes": [
{
"at": "0.1.0.10",
"status": "unaffected"
}
],
"lessThanOrEqual": "0.1.0.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Majed Refaea (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in InstaWP Team InstaWP Connect \u2013 1-click WP Staging \u0026amp; Migration.\u003cp\u003eThis issue affects InstaWP Connect \u2013 1-click WP Staging \u0026amp; Migration: from n/a through 0.1.0.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in InstaWP Team InstaWP Connect \u2013 1-click WP Staging \u0026 Migration.This issue affects InstaWP Connect \u2013 1-click WP Staging \u0026 Migration: from n/a through 0.1.0.9.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-31T11:52:25.115Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;0.1.0.10 or a higher version."
}
],
"value": "Update to\u00a00.1.0.10 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress InstaWP Connect Plugin \u003c= 0.1.0.9 is vulnerable to SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-23507",
"datePublished": "2024-01-31T11:52:25.115Z",
"dateReserved": "2024-01-17T18:18:14.980Z",
"dateUpdated": "2024-08-01T23:06:25.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-07-27 07:15
Modified
2024-11-21 08:18
Severity ?
Summary
The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| instawp | instawp_connect | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "CA84D292-8449-4A87-8D0A-84D08318737F",
"versionEndIncluding": "0.0.9.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the \u0027events_receiver\u0027 function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user."
},
{
"lang": "es",
"value": "El plugin InstaWP Connect para WordPress es vulnerable al acceso no autorizado de datos, modificaci\u00f3n de datos y p\u00e9rdida de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n \"events_receiver\" en versiones hasta la 0.0.9.18 inclusive. Esto hace posible que atacantes no autenticados a\u00f1adan, modifiquen o eliminen entradas y taxonom\u00edas, instalen, activen o desactiven el plugin, cambien la configuraci\u00f3n del personalizador y a\u00f1adan, modifiquen o eliminen usuarios incluyendo el usuario administrador. "
}
],
"id": "CVE-2023-3956",
"lastModified": "2024-11-21T08:18:23.840",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2023-07-27T07:15:09.857",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includes/class-instawp-rest-apis.php#L103"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includes/class-instawp-rest-apis.php#L103"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2024-05-17 09:15
Modified
2025-02-07 18:35
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| instawp | instawp_connect | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "623C3C98-BB44-47E5-984F-195BF63CCA0E",
"versionEndExcluding": "0.1.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8."
},
{
"lang": "es",
"value": " Vulnerabilidad de gesti\u00f3n de privilegios incorrecta en InstaWP Team InstaWP Connect permite la escalada de privilegios. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.8."
}
],
"id": "CVE-2024-22145",
"lastModified": "2025-02-07T18:35:55.977",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-05-17T09:15:21.410",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-03 12:15
Modified
2025-02-09 20:40
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.8.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| instawp | instawp_connect | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "623C3C98-BB44-47E5-984F-195BF63CCA0E",
"versionEndExcluding": "0.1.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.8.\n\n"
},
{
"lang": "es",
"value": "Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en InstaWP Team InstaWP Connect permite la inyecci\u00f3n de c\u00f3digo. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.8."
}
],
"id": "CVE-2024-25918",
"lastModified": "2025-02-09T20:40:39.820",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-04-03T12:15:10.537",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-12 11:15
Modified
2024-11-21 09:43
Severity ?
Summary
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| instawp | instawp_connect | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "66DB2CB9-8164-4EAF-ABFF-14E11FC7B2E0",
"versionEndExcluding": "0.1.0.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The InstaWP Connect \u2013 1-click WP Staging \u0026 Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts."
},
{
"lang": "es",
"value": "El complemento InstaWP Connect \u2013 1-click WP Staging \u0026amp; Migration para WordPress es vulnerable a actualizaciones de opciones arbitrarias debido a la falta de controles de autorizaci\u00f3n en las llamadas a la API REST en todas las versiones hasta la 0.1.0.38 incluida. Esto hace posible que atacantes no autenticados conecten el sitio a la API de InstaWP, editen opciones arbitrarias del sitio y creen cuentas de administrador."
}
],
"id": "CVE-2024-4898",
"lastModified": "2024-11-21T09:43:49.167",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2024-06-12T11:15:50.907",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-31 12:16
Modified
2024-11-21 08:57
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| instawp | instawp_connect | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8F64534D-B2EB-42F8-9D98-35D7C4967FF1",
"versionEndIncluding": "0.1.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in InstaWP Team InstaWP Connect \u2013 1-click WP Staging \u0026 Migration.This issue affects InstaWP Connect \u2013 1-click WP Staging \u0026 Migration: from n/a through 0.1.0.9.\n\n"
},
{
"lang": "es",
"value": "Neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL (\u0027inyecci\u00f3n SQL\u0027) en InstaWP Team InstaWP Connect \u2013 1-click WP Staging \u0026amp; Migration. Este problema afecta a InstaWP Connect \u2013 1-click WP Staging \u0026amp; Migration: desde n/a hasta 0.1.0.9."
}
],
"id": "CVE-2024-23507",
"lastModified": "2024-11-21T08:57:51.250",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.7,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-31T12:16:06.007",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-24 13:15
Modified
2025-02-06 15:04
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.38.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| instawp | instawp_connect | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "66DB2CB9-8164-4EAF-ABFF-14E11FC7B2E0",
"versionEndExcluding": "0.1.0.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.38."
},
{
"lang": "es",
"value": "La vulnerabilidad de control inadecuado de la generaci\u00f3n de c\u00f3digo (\"inyecci\u00f3n de c\u00f3digo\") en InstaWP Team InstaWP Connect permite la inyecci\u00f3n de c\u00f3digo. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.38."
}
],
"id": "CVE-2024-37228",
"lastModified": "2025-02-06T15:04:42.603",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-24T13:15:10.947",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-27 00:15
Modified
2024-11-21 08:57
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| instawp | instawp_connect | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8F64534D-B2EB-42F8-9D98-35D7C4967FF1",
"versionEndIncluding": "0.1.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in InstaWP Team InstaWP Connect \u2013 1-click WP Staging \u0026 Migration.This issue affects InstaWP Connect \u2013 1-click WP Staging \u0026 Migration: from n/a through 0.1.0.9.\n\n"
},
{
"lang": "es",
"value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado en InstaWP Team InstaWP Connect \u2013 1-click WP Staging \u0026amp; Migration. Este problema afecta a InstaWP Connect \u2013 1-click WP Staging \u0026amp; Migration: desde n/a hasta 0.1.0.9."
}
],
"id": "CVE-2024-23506",
"lastModified": "2024-11-21T08:57:51.103",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-27T00:15:24.977",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sensitive-data-exposure-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-05-02 17:15
Modified
2025-02-06 18:05
Severity ?
Summary
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| instawp | instawp_connect | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "F4F69A34-C28C-486D-B889-443B2DFB1E0F",
"versionEndExcluding": "0.1.0.23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The InstaWP Connect \u2013 1-click WP Staging \u0026 Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files."
},
{
"lang": "es",
"value": "El complemento InstaWP Connect \u2013 1-click WP Staging \u0026amp; Migration para WordPress es vulnerable a cargas de archivos arbitrarias debido a una validaci\u00f3n de archivos insuficiente en el endpoint de la API REST /wp-json/instawp-connect/v1/config en todas las versiones hasta e incluida, 0.1.0.22. Esto hace posible que atacantes no autenticados carguen archivos arbitrarios."
}
],
"id": "CVE-2024-2667",
"lastModified": "2025-02-06T18:05:25.020",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@wordfence.com",
"type": "Secondary"
}
]
},
"published": "2024-05-02T17:15:18.443",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3061039%40instawp-connect\u0026new=3061039%40instawp-connect\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6aead8d-c136-4952-ad03-86fe0f144dea?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3061039%40instawp-connect\u0026new=3061039%40instawp-connect\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6aead8d-c136-4952-ad03-86fe0f144dea?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-11 04:15
Modified
2024-11-21 09:49
Severity ?
Summary
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| instawp | instawp_connect | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "B415B6BA-5CF8-4A07-9546-2814F2BFCBAD",
"versionEndExcluding": "0.1.0.45",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The InstaWP Connect \u2013 1-click WP Staging \u0026 Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery."
},
{
"lang": "es",
"value": "El complemento InstaWP Connect \u2013 1-click WP Staging \u0026amp; Migration para WordPress es vulnerable a la omisi\u00f3n de autenticaci\u00f3n en todas las versiones hasta la 0.1.0.44 incluida. Esto se debe a una verificaci\u00f3n insuficiente de la clave API. Esto hace posible que atacantes no autenticados inicien sesi\u00f3n como cualquier usuario existente en el sitio, como un administrador, si tienen acceso al nombre de usuario, y realicen una variedad de otras tareas administrativas. NOTA: Esta vulnerabilidad se solucion\u00f3 parcialmente en 0.1.0.44, pero a\u00fan era explotable mediante Cross-Site Request Forgery."
}
],
"id": "CVE-2024-6397",
"lastModified": "2024-11-21T09:49:34.490",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2024-07-11T04:15:05.997",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/apis/class-instawp-rest-api.php#L256"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L28"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L40"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3109305/"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3114674/"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/963f2485-3afa-4e17-8278-b75415af3915?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/apis/class-instawp-rest-api.php#L256"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L28"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L40"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3109305/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3114674/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/963f2485-3afa-4e17-8278-b75415af3915?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-09 18:15
Modified
2024-11-21 09:15
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Missing Authorization vulnerability in InstaWP Team InstaWP Connect.This issue affects InstaWP Connect: from n/a through 0.1.0.24.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| instawp | instawp_connect | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4AAB85C2-CEF0-4734-93C7-322DA155A978",
"versionEndExcluding": "0.1.0.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in InstaWP Team InstaWP Connect.This issue affects InstaWP Connect: from n/a through 0.1.0.24."
},
{
"lang": "es",
"value": "Vulnerabilidad de autorizaci\u00f3n faltante en InstaWP Team InstaWP Connect. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.24."
}
],
"id": "CVE-2024-32701",
"lastModified": "2024-11-21T09:15:30.577",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-09T18:15:10.823",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-24-broken-access-control-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-24-broken-access-control-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}