cbcvebase.
CVE-2024-4898
published 2024-06-12

CVE-2024-4898: The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
4.16%
89.6th percentile
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.

Affected

2 ranges
VendorProductVersion rangeFixed in
instawpinstawp_connect< 0.1.0.390.1.0.39
instawpinstawp_connect_1-click_wp_staging_migration<= 0.1.0.38

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/instawp-connect/v1/config
path/wp-content/plugins/instawp-connect/
  • Detect unauthenticated POST requests to the InstaWP Connect REST API endpoint /wp-json/instawp-connect/v1/config — no Authorization header required; attacker supplies an api_key in the JSON body to connect the site and create admin users.
  • A successful exploitation response contains all three JSON fields: '"status":true', '"connect_id":', and '"message":"Connected"' with HTTP 200 — alert on this combination in web application logs.
  • Presence of the plugin path /wp-content/plugins/instawp-connect/ in HTTP responses can be used to fingerprint vulnerable WordPress installations for targeted scanning.
  • The vulnerability resides in the REST API handler class; review or monitor class-instawp-rest-api.php around line 926 for missing authorization logic.
  • ·The Nuclei PoC template requires a valid InstaWP api_key variable to be supplied at runtime; without it the exploit payload will not authenticate to the InstaWP API and the test will not produce a meaningful result.
  • ·The vulnerability affects all plugin versions up to and including 0.1.0.38; version 0.1.0.39 or later contains the patch — ensure version checks in detection rules account for this boundary.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.