Plattform
wordpress
Komponente
instawp-connect
Behoben in
0.1.1
CVE-2025-2636 describes a Local File Inclusion (LFI) vulnerability affecting the InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to sensitive data exposure or complete system compromise. The vulnerability impacts versions from 0.0.0 up to and including 0.1.0.85. A fix is expected from the vendor.
The LFI vulnerability in InstaWP Connect allows an attacker to leverage the 'instawp-database-manager' parameter to include and execute arbitrary files. This means an attacker could potentially read sensitive configuration files, database credentials, or even execute malicious PHP code. If the attacker can upload PHP files or if such files already exist on the server, they can gain full control over the WordPress instance. This could lead to data breaches, website defacement, or the installation of malware. The impact is particularly severe because the vulnerability requires no authentication, making it easily exploitable.
CVE-2025-2636 was publicly disclosed on April 11, 2025. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. The ease of exploitation, combined with the plugin's popularity, suggests that it could become a target for opportunistic attackers.
WordPress websites using the InstaWP Connect plugin, particularly those with default file upload permissions or those running older, unpatched versions of WordPress, are at significant risk. Shared hosting environments where users have limited control over server file permissions are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'instawp-database-manager' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep InstaWP Connect• wordpress / composer / npm:
find /var/www/html/wp-content/plugins/instawp-connect -type f -name '*.php' -print0 | xargs -0 grep 'instawp-database-manager'disclosure
Exploit-Status
EPSS
10.16% (93% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-2636 is to upgrade the InstaWP Connect plugin to a patched version as soon as it becomes available. If immediate upgrading is not possible, implement a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the 'instawp-database-manager' parameter. Additionally, restrict file upload permissions and ensure that only trusted file types are allowed. Regularly scan the WordPress installation for any unauthorized files or modifications. After upgrading, verify the fix by attempting to access the vulnerable endpoint with a malicious payload and confirming that it is blocked.
Actualice el plugin InstaWP Connect a una versión corregida. La vulnerabilidad de inclusión de archivos locales no autenticados permite la ejecución de código arbitrario. Verifique las actualizaciones disponibles en el repositorio de plugins de WordPress o en el sitio web del desarrollador.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-2636 is a Local File Inclusion vulnerability in the InstaWP Connect WordPress plugin, allowing attackers to execute arbitrary files. It has a CVSS score of 8.1 (HIGH) and affects versions 0.0.0–0.1.0.85.
You are affected if your WordPress site uses the InstaWP Connect plugin in versions 0.0.0 through 0.1.0.85. Check your plugin versions immediately.
Upgrade to the latest version of the InstaWP Connect plugin as soon as a patch is released. Until then, implement WAF rules or restrict file upload permissions.
There is currently no confirmed active exploitation, but the vulnerability is considered high severity and PoCs are likely to emerge.
Check the official InstaWP Connect website and WordPress plugin repository for updates and security advisories related to CVE-2025-2636.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.