InstaWP Connect <= 0.1.0.85 - Unauthentifizierte Lokale PHP-Datei-Inklusion
Plattform
wordpress
Komponente
instawp-connect
Behoben in
0.1.1
CVE-2025-2636 describes a Local File Inclusion (LFI) vulnerability affecting the InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to sensitive data exposure or complete system compromise. The vulnerability impacts versions from 0.0.0 up to and including 0.1.0.85. A fix is expected from the vendor.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Auswirkungen und Angriffsszenarien
The LFI vulnerability in InstaWP Connect allows an attacker to leverage the 'instawp-database-manager' parameter to include and execute arbitrary files. This means an attacker could potentially read sensitive configuration files, database credentials, or even execute malicious PHP code. If the attacker can upload PHP files or if such files already exist on the server, they can gain full control over the WordPress instance. This could lead to data breaches, website defacement, or the installation of malware. The impact is particularly severe because the vulnerability requires no authentication, making it easily exploitable.
Ausnutzungskontext
CVE-2025-2636 was publicly disclosed on April 11, 2025. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. The ease of exploitation, combined with the plugin's popularity, suggests that it could become a target for opportunistic attackers.
Wer Ist Gefährdetwird übersetzt…
WordPress websites using the InstaWP Connect plugin, particularly those with default file upload permissions or those running older, unpatched versions of WordPress, are at significant risk. Shared hosting environments where users have limited control over server file permissions are also particularly vulnerable.
Erkennungsschrittewird übersetzt…
• wordpress / composer / npm:
grep -r 'instawp-database-manager' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep InstaWP Connect• wordpress / composer / npm:
find /var/www/html/wp-content/plugins/instawp-connect -type f -name '*.php' -print0 | xargs -0 grep 'instawp-database-manager'Angriffszeitlinie
- Disclosure
disclosure
Bedrohungsanalyse
Exploit-Status
EPSS
10.16% (93% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Hoch — erfordert eine Race-Condition, Nicht-Standard-Konfiguration oder spezifische Umstände.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.
Betroffene Software
Paketinformationen
- Aktive Installationen
- 40KBekannt
- Plugin-Bewertung
- 4.5
- Erfordert WordPress
- 5.6+
- Kompatibel bis
- 6.9.4
- Erfordert PHP
- 7.0+
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workarounds
The primary mitigation for CVE-2025-2636 is to upgrade the InstaWP Connect plugin to a patched version as soon as it becomes available. If immediate upgrading is not possible, implement a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the 'instawp-database-manager' parameter. Additionally, restrict file upload permissions and ensure that only trusted file types are allowed. Regularly scan the WordPress installation for any unauthorized files or modifications. After upgrading, verify the fix by attempting to access the vulnerable endpoint with a malicious payload and confirming that it is blocked.
So behebenwird übersetzt…
Actualice el plugin InstaWP Connect a una versión corregida. La vulnerabilidad de inclusión de archivos locales no autenticados permite la ejecución de código arbitrario. Verifique las actualizaciones disponibles en el repositorio de plugins de WordPress o en el sitio web del desarrollador.
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2025-2636 — LFI in InstaWP Connect WordPress Plugin?
CVE-2025-2636 is a Local File Inclusion vulnerability in the InstaWP Connect WordPress plugin, allowing attackers to execute arbitrary files. It has a CVSS score of 8.1 (HIGH) and affects versions 0.0.0–0.1.0.85.
Am I affected by CVE-2025-2636 in InstaWP Connect WordPress Plugin?
You are affected if your WordPress site uses the InstaWP Connect plugin in versions 0.0.0 through 0.1.0.85. Check your plugin versions immediately.
How do I fix CVE-2025-2636 in InstaWP Connect WordPress Plugin?
Upgrade to the latest version of the InstaWP Connect plugin as soon as a patch is released. Until then, implement WAF rules or restrict file upload permissions.
Is CVE-2025-2636 being actively exploited?
There is currently no confirmed active exploitation, but the vulnerability is considered high severity and PoCs are likely to emerge.
Where can I find the official InstaWP Connect advisory for CVE-2025-2636?
Check the official InstaWP Connect website and WordPress plugin repository for updates and security advisories related to CVE-2025-2636.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.