Platform
wordpress
Component
instawp-connect
Fixed in
0.1.1
CVE-2025-2636 describes a Local File Inclusion (LFI) vulnerability affecting the InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to sensitive data exposure or complete system compromise. The vulnerability impacts versions from 0.0.0 up to and including 0.1.0.85. A fix is expected from the vendor.
The LFI vulnerability in InstaWP Connect allows an attacker to manipulate the 'instawp-database-manager' parameter to include arbitrary files. If the attacker can upload PHP files or if such files already exist on the server, they can execute arbitrary PHP code. This could lead to a complete takeover of the WordPress instance, allowing the attacker to modify content, steal sensitive data (including database credentials), install malware, or deface the website. The impact is particularly severe because the vulnerability is unauthenticated, meaning an attacker doesn't need valid credentials to exploit it. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain code execution.
CVE-2025-2636 was publicly disclosed on 2025-04-11. There is currently no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is pending evaluation. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation of LFI vulnerabilities.
Exploit Status
EPSS
10.16% (93% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2636 is to upgrade to a patched version of the InstaWP Connect plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests containing suspicious characters or patterns in the 'instawp-database-manager' parameter. Restrict file upload permissions to prevent attackers from uploading malicious PHP files. Regularly scan the WordPress installation for any unauthorized files. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file through the vulnerable parameter and verifying that access is denied.
Actualice el plugin InstaWP Connect a una versión corregida. La vulnerabilidad de inclusión de archivos locales no autenticados permite la ejecución de código arbitrario. Verifique las actualizaciones disponibles en el repositorio de plugins de WordPress o en el sitio web del desarrollador.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2636 is a Local File Inclusion vulnerability in the InstaWP Connect WordPress plugin, allowing attackers to execute arbitrary files. It has a CVSS score of 8.1 (HIGH) and affects versions 0.0.0–0.1.0.85.
You are affected if your WordPress site uses the InstaWP Connect plugin in versions 0.0.0 through 0.1.0.85. Check your plugin versions immediately.
Upgrade to the latest version of the InstaWP Connect plugin as soon as a patch is released. Until then, implement WAF rules or restrict file upload permissions.
There is currently no confirmed active exploitation, but the vulnerability is considered high severity and PoCs are likely to emerge.
Check the official InstaWP Connect website and WordPress plugin repository for updates and security advisories related to CVE-2025-2636.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.