Search

Find a vulnerability

Search criteria

    20 vulnerabilities found for instawp_connect by instawp

    CVE-2024-6397 (GCVE-0-2024-6397)

    Vulnerability from nvd – Published: 2024-07-11 03:33 – Updated: 2026-04-08 17:10
    VLAI
    Title
    InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.44 - Authentication Bypass to Admin
    Summary
    The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    Assigner
    Impacted products
    Vendor Product Version
    instawp InstaWP Connect – 1-click WP Staging & Migration Affected: 0 , ≤ 0.1.0.44 (semver)
    Create a notification for this product.
    instawp instawp_connect Affected: 0 , ≤ 0.1.0.44 (semver)
        cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    Truoc Phan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "instawp_connect",
                "vendor": "instawp",
                "versions": [
                  {
                    "lessThanOrEqual": "0.1.0.44",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6397",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-11T14:08:12.900391Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-11T18:03:29.254Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:03.350Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/963f2485-3afa-4e17-8278-b75415af3915?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L28"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L40"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/apis/class-instawp-rest-api.php#L256"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3109305/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3114674/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
              "vendor": "instawp",
              "versions": [
                {
                  "lessThanOrEqual": "0.1.0.44",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Truoc Phan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The InstaWP Connect \u2013 1-click WP Staging \u0026 Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:10:12.110Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/963f2485-3afa-4e17-8278-b75415af3915?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L28"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L40"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/apis/class-instawp-rest-api.php#L256"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3109305/"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3114674/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-10T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration \u003c= 0.1.0.44 - Authentication Bypass to Admin"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6397",
        "datePublished": "2024-07-11T03:33:19.573Z",
        "dateReserved": "2024-06-27T19:57:23.466Z",
        "dateUpdated": "2026-04-08T17:10:12.110Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-37228 (GCVE-0-2024-37228)

    Vulnerability from nvd – Published: 2024-06-24 12:35 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress InstaWP Connect plugin <= 0.1.0.38 - Arbitrary File Upload vulnerability
    Summary
    Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.38.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    InstaWP InstaWP Connect Affected: 0 , ≤ 0.1.0.38 (custom)
    Create a notification for this product.
    instawp instawp_connect Affected: 0 , ≤ 0.1.0.38 (custom)
        cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Date Public
    2026-04-01 16:26
    Credits
    AtaTurk1925 | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "instawp_connect",
                "vendor": "instawp",
                "versions": [
                  {
                    "lessThanOrEqual": "0.1.0.38",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-37228",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-24T20:07:17.607812Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-24T20:14:45.465Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:50:55.253Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "instawp-connect",
              "product": "InstaWP Connect",
              "vendor": "InstaWP",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.1.0.39",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "0.1.0.38",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "AtaTurk1925 | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:26:29.628Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP InstaWP Connect instawp-connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.38.\u003c/p\u003e"
                }
              ],
              "value": "Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.38."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:56.955Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.38 - Arbitrary File Upload vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-37228",
        "datePublished": "2024-06-24T12:35:18.966Z",
        "dateReserved": "2024-06-04T16:46:21.940Z",
        "dateUpdated": "2026-04-28T16:09:56.955Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4898 (GCVE-0-2024-4898)

    Vulnerability from nvd – Published: 2024-06-12 11:05 – Updated: 2026-04-08 17:09
    VLAI
    Title
    InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation
    Summary
    The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Truoc Phan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4898",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-12T19:28:20.387464Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-12T19:28:25.927Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:55:10.271Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
              "vendor": "instawp",
              "versions": [
                {
                  "lessThanOrEqual": "0.1.0.38",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Truoc Phan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The InstaWP Connect \u2013 1-click WP Staging \u0026 Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:09:29.385Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-29T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2024-06-11T21:44:53.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration \u003c= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-4898",
        "datePublished": "2024-06-12T11:05:07.625Z",
        "dateReserved": "2024-05-15T07:33:21.328Z",
        "dateUpdated": "2026-04-08T17:09:29.385Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-32701 (GCVE-0-2024-32701)

    Vulnerability from nvd – Published: 2024-06-09 17:19 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress InstaWP Connect plugin <= 0.1.0.24 - Broken Access Control vulnerability
    Summary
    Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.24.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    InstaWP InstaWP Connect Affected: 0 , ≤ 0.1.0.24 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:25
    Credits
    Dhabaleshwar Das | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32701",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-10T14:11:42.950120Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-10T14:12:00.916Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:34.492Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-24-broken-access-control-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "instawp-connect",
              "product": "InstaWP Connect",
              "vendor": "InstaWP",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.1.0.25",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "0.1.0.24",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dhabaleshwar Das | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:25:10.353Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.24.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.24."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:39.198Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-24-broken-access-control-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.24 - Broken Access Control vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-32701",
        "datePublished": "2024-06-09T17:19:20.839Z",
        "dateReserved": "2024-04-17T08:56:01.508Z",
        "dateUpdated": "2026-04-28T16:09:39.198Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-22145 (GCVE-0-2024-22145)

    Vulnerability from nvd – Published: 2024-05-17 08:46 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress InstaWP Connect plugin <= 0.1.0.8 - Arbitrary Option Update to Privilege Escalation vulnerability
    Summary
    Incorrect Privilege Assignment vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    Impacted products
    Vendor Product Version
    InstaWP InstaWP Connect Affected: 0 , ≤ 0.1.0.8 (custom)
    Create a notification for this product.
    instawp instawp_connect Affected: 0 , ≤ 0.1.0.8 (custom)
        cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Date Public
    2026-04-01 16:23
    Credits
    Majed Refaea | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "instawp_connect",
                "vendor": "instawp",
                "versions": [
                  {
                    "lessThanOrEqual": "0.1.0.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-22145",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-20T19:49:25.560036Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:52:29.504Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T22:35:34.956Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "instawp-connect",
              "product": "InstaWP Connect",
              "vendor": "InstaWP",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.1.0.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "0.1.0.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Majed Refaea | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:23:17.105Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Privilege Assignment vulnerability in InstaWP InstaWP Connect instawp-connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.8.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Privilege Assignment vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:08.604Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.8 - Arbitrary Option Update to Privilege Escalation vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-22145",
        "datePublished": "2024-05-17T08:46:53.282Z",
        "dateReserved": "2024-01-05T11:18:25.467Z",
        "dateUpdated": "2026-04-28T16:09:08.604Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-2667 (GCVE-0-2024-2667)

    Vulnerability from nvd – Published: 2024-05-02 16:52 – Updated: 2026-04-08 17:33
    VLAI
    Title
    InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.22 - Unauthenticated Arbitrary File Upload
    Summary
    The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Credits
    Nader Abdi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2667",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-17T16:05:05.290615Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-17T16:05:14.798Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:18:48.315Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6aead8d-c136-4952-ad03-86fe0f144dea?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3061039%40instawp-connect\u0026new=3061039%40instawp-connect\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
              "vendor": "instawp",
              "versions": [
                {
                  "lessThanOrEqual": "0.1.0.22",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nader Abdi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The InstaWP Connect \u2013 1-click WP Staging \u0026 Migration plugin for WordPress is vulnerable to arbitrary file uploads due to  insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:33:36.379Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6aead8d-c136-4952-ad03-86fe0f144dea?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3061039%40instawp-connect\u0026new=3061039%40instawp-connect\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-12T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration \u003c= 0.1.0.22 - Unauthenticated Arbitrary File Upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-2667",
        "datePublished": "2024-05-02T16:52:52.798Z",
        "dateReserved": "2024-03-19T19:42:24.552Z",
        "dateUpdated": "2026-04-08T17:33:36.379Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-25918 (GCVE-0-2024-25918)

    Vulnerability from nvd – Published: 2024-04-03 12:11 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress InstaWP Connect plugin <= 0.1.0.8 - Remote Code Execution vulnerability
    Summary
    Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    InstaWP InstaWP Connect Affected: 0 , ≤ 0.1.0.8 (custom)
    Create a notification for this product.
    instawp instawp_connect Affected: 0 , ≤ 0.1.0.8 (custom)
        cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Date Public
    2026-04-28 13:51
    Credits
    Majed Refaea | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:52:06.215Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "instawp_connect",
                "vendor": "instawp",
                "versions": [
                  {
                    "lessThanOrEqual": "0.1.0.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-25918",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-03T18:20:34.759427Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-27T13:47:37.565Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "instawp-connect",
              "product": "InstaWP Connect",
              "vendor": "InstaWP",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.1.0.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "0.1.0.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Majed Refaea | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-28T13:51:17.294Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in InstaWP InstaWP Connect instawp-connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.8.\u003c/p\u003e"
                }
              ],
              "value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:13.413Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.8 - Remote Code Execution vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-25918",
        "datePublished": "2024-04-03T12:11:07.587Z",
        "dateReserved": "2024-02-12T08:35:07.534Z",
        "dateUpdated": "2026-04-28T16:09:13.413Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-23507 (GCVE-0-2024-23507)

    Vulnerability from nvd – Published: 2024-01-31 11:52 – Updated: 2026-05-11 20:52
    VLAI
    Title
    WordPress InstaWP Connect plugin <= 0.1.0.9 - SQL Injection vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    InstaWP InstaWP Connect Affected: 0 , ≤ 0.1.0.9 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:23
    Credits
    Majed Refaea | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:25.223Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23507",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-30T18:29:58.574159Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T20:52:18.678Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "instawp-connect",
              "product": "InstaWP Connect",
              "vendor": "InstaWP",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.1.0.10",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "0.1.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Majed Refaea | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:23:22.869Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in InstaWP InstaWP Connect instawp-connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.9.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.9."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:09.692Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.9 - SQL Injection vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-23507",
        "datePublished": "2024-01-31T11:52:25.115Z",
        "dateReserved": "2024-01-17T18:18:14.980Z",
        "dateUpdated": "2026-05-11T20:52:18.678Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-23506 (GCVE-0-2024-23506)

    Vulnerability from nvd – Published: 2024-01-26 23:19 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress InstaWP Connect plugin <= 0.1.0.9 - Sensitive Data Exposure vulnerability
    Summary
    Insertion of Sensitive Information Into Sent Data vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    Impacted products
    Vendor Product Version
    InstaWP InstaWP Connect Affected: 0 , ≤ 0.1.0.9 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:23
    Credits
    Majed Refaea | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:24.786Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sensitive-data-exposure-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23506",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-23T19:47:13.011569Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-23T19:47:23.508Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "instawp-connect",
              "product": "InstaWP Connect",
              "vendor": "InstaWP",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.1.0.10",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "0.1.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Majed Refaea | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:23:22.835Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insertion of Sensitive Information Into Sent Data vulnerability in InstaWP InstaWP Connect instawp-connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.9.\u003c/p\u003e"
                }
              ],
              "value": "Insertion of Sensitive Information Into Sent Data vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.9."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:09.721Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-9-sensitive-data-exposure-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.9 - Sensitive Data Exposure vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-23506",
        "datePublished": "2024-01-26T23:19:52.248Z",
        "dateReserved": "2024-01-17T18:18:14.980Z",
        "dateUpdated": "2026-04-28T16:09:09.721Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-3956 (GCVE-0-2023-3956)

    Vulnerability from nvd – Published: 2023-07-27 06:54 – Updated: 2026-04-08 16:50
    VLAI
    Title
    InstaWP Connect <= 0.0.9.18 - Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver
    Summary
    The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.660Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includes/class-instawp-rest-apis.php#L103"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3956",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-05T18:40:10.626463Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-05T19:38:35.811Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
              "vendor": "instawp",
              "versions": [
                {
                  "lessThanOrEqual": "0.0.9.18",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the \u0027events_receiver\u0027 function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:50:20.436Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includes/class-instawp-rest-apis.php#L103"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-07-22T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2023-07-22T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2023-07-26T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "InstaWP Connect \u003c= 0.0.9.18 - Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-3956",
        "datePublished": "2023-07-27T06:54:14.804Z",
        "dateReserved": "2023-07-26T17:41:07.986Z",
        "dateUpdated": "2026-04-08T16:50:20.436Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6397 (GCVE-0-2024-6397)

    Vulnerability from cvelistv5 – Published: 2024-07-11 03:33 – Updated: 2026-04-08 17:10
    VLAI
    Title
    InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.44 - Authentication Bypass to Admin
    Summary
    The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    Assigner
    Impacted products
    Vendor Product Version
    instawp InstaWP Connect – 1-click WP Staging & Migration Affected: 0 , ≤ 0.1.0.44 (semver)
    Create a notification for this product.
    instawp instawp_connect Affected: 0 , ≤ 0.1.0.44 (semver)
        cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    Truoc Phan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "instawp_connect",
                "vendor": "instawp",
                "versions": [
                  {
                    "lessThanOrEqual": "0.1.0.44",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6397",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-11T14:08:12.900391Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-11T18:03:29.254Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:03.350Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/963f2485-3afa-4e17-8278-b75415af3915?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L28"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L40"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/apis/class-instawp-rest-api.php#L256"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3109305/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3114674/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
              "vendor": "instawp",
              "versions": [
                {
                  "lessThanOrEqual": "0.1.0.44",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Truoc Phan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The InstaWP Connect \u2013 1-click WP Staging \u0026 Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:10:12.110Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/963f2485-3afa-4e17-8278-b75415af3915?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L28"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/class-instawp-hooks.php#L40"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/apis/class-instawp-rest-api.php#L256"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3109305/"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3114674/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-07-10T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration \u003c= 0.1.0.44 - Authentication Bypass to Admin"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-6397",
        "datePublished": "2024-07-11T03:33:19.573Z",
        "dateReserved": "2024-06-27T19:57:23.466Z",
        "dateUpdated": "2026-04-08T17:10:12.110Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-37228 (GCVE-0-2024-37228)

    Vulnerability from cvelistv5 – Published: 2024-06-24 12:35 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress InstaWP Connect plugin <= 0.1.0.38 - Arbitrary File Upload vulnerability
    Summary
    Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.38.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    InstaWP InstaWP Connect Affected: 0 , ≤ 0.1.0.38 (custom)
    Create a notification for this product.
    instawp instawp_connect Affected: 0 , ≤ 0.1.0.38 (custom)
        cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Date Public
    2026-04-01 16:26
    Credits
    AtaTurk1925 | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "instawp_connect",
                "vendor": "instawp",
                "versions": [
                  {
                    "lessThanOrEqual": "0.1.0.38",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-37228",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-24T20:07:17.607812Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-24T20:14:45.465Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T03:50:55.253Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "instawp-connect",
              "product": "InstaWP Connect",
              "vendor": "InstaWP",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.1.0.39",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "0.1.0.38",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "AtaTurk1925 | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:26:29.628Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP InstaWP Connect instawp-connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.38.\u003c/p\u003e"
                }
              ],
              "value": "Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.38."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:56.955Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.38 - Arbitrary File Upload vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-37228",
        "datePublished": "2024-06-24T12:35:18.966Z",
        "dateReserved": "2024-06-04T16:46:21.940Z",
        "dateUpdated": "2026-04-28T16:09:56.955Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4898 (GCVE-0-2024-4898)

    Vulnerability from cvelistv5 – Published: 2024-06-12 11:05 – Updated: 2026-04-08 17:09
    VLAI
    Title
    InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation
    Summary
    The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Truoc Phan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4898",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-12T19:28:20.387464Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-12T19:28:25.927Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:55:10.271Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
              "vendor": "instawp",
              "versions": [
                {
                  "lessThanOrEqual": "0.1.0.38",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Truoc Phan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The InstaWP Connect \u2013 1-click WP Staging \u0026 Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:09:29.385Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-29T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2024-06-11T21:44:53.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration \u003c= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-4898",
        "datePublished": "2024-06-12T11:05:07.625Z",
        "dateReserved": "2024-05-15T07:33:21.328Z",
        "dateUpdated": "2026-04-08T17:09:29.385Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-32701 (GCVE-0-2024-32701)

    Vulnerability from cvelistv5 – Published: 2024-06-09 17:19 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress InstaWP Connect plugin <= 0.1.0.24 - Broken Access Control vulnerability
    Summary
    Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.24.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    InstaWP InstaWP Connect Affected: 0 , ≤ 0.1.0.24 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:25
    Credits
    Dhabaleshwar Das | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32701",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-10T14:11:42.950120Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-10T14:12:00.916Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:34.492Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-24-broken-access-control-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "instawp-connect",
              "product": "InstaWP Connect",
              "vendor": "InstaWP",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.1.0.25",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "0.1.0.24",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dhabaleshwar Das | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:25:10.353Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.24.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.24."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:39.198Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-24-broken-access-control-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.24 - Broken Access Control vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-32701",
        "datePublished": "2024-06-09T17:19:20.839Z",
        "dateReserved": "2024-04-17T08:56:01.508Z",
        "dateUpdated": "2026-04-28T16:09:39.198Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-22145 (GCVE-0-2024-22145)

    Vulnerability from cvelistv5 – Published: 2024-05-17 08:46 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress InstaWP Connect plugin <= 0.1.0.8 - Arbitrary Option Update to Privilege Escalation vulnerability
    Summary
    Incorrect Privilege Assignment vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    Impacted products
    Vendor Product Version
    InstaWP InstaWP Connect Affected: 0 , ≤ 0.1.0.8 (custom)
    Create a notification for this product.
    instawp instawp_connect Affected: 0 , ≤ 0.1.0.8 (custom)
        cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Date Public
    2026-04-01 16:23
    Credits
    Majed Refaea | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "instawp_connect",
                "vendor": "instawp",
                "versions": [
                  {
                    "lessThanOrEqual": "0.1.0.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-22145",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-20T19:49:25.560036Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:52:29.504Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T22:35:34.956Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "instawp-connect",
              "product": "InstaWP Connect",
              "vendor": "InstaWP",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.1.0.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "0.1.0.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Majed Refaea | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:23:17.105Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Privilege Assignment vulnerability in InstaWP InstaWP Connect instawp-connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.8.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Privilege Assignment vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:08.604Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.8 - Arbitrary Option Update to Privilege Escalation vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-22145",
        "datePublished": "2024-05-17T08:46:53.282Z",
        "dateReserved": "2024-01-05T11:18:25.467Z",
        "dateUpdated": "2026-04-28T16:09:08.604Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-2667 (GCVE-0-2024-2667)

    Vulnerability from cvelistv5 – Published: 2024-05-02 16:52 – Updated: 2026-04-08 17:33
    VLAI
    Title
    InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.22 - Unauthenticated Arbitrary File Upload
    Summary
    The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Credits
    Nader Abdi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2667",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-17T16:05:05.290615Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-17T16:05:14.798Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:18:48.315Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6aead8d-c136-4952-ad03-86fe0f144dea?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3061039%40instawp-connect\u0026new=3061039%40instawp-connect\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
              "vendor": "instawp",
              "versions": [
                {
                  "lessThanOrEqual": "0.1.0.22",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nader Abdi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The InstaWP Connect \u2013 1-click WP Staging \u0026 Migration plugin for WordPress is vulnerable to arbitrary file uploads due to  insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:33:36.379Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6aead8d-c136-4952-ad03-86fe0f144dea?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3061039%40instawp-connect\u0026new=3061039%40instawp-connect\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-12T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration \u003c= 0.1.0.22 - Unauthenticated Arbitrary File Upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-2667",
        "datePublished": "2024-05-02T16:52:52.798Z",
        "dateReserved": "2024-03-19T19:42:24.552Z",
        "dateUpdated": "2026-04-08T17:33:36.379Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-25918 (GCVE-0-2024-25918)

    Vulnerability from cvelistv5 – Published: 2024-04-03 12:11 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress InstaWP Connect plugin <= 0.1.0.8 - Remote Code Execution vulnerability
    Summary
    Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    InstaWP InstaWP Connect Affected: 0 , ≤ 0.1.0.8 (custom)
    Create a notification for this product.
    instawp instawp_connect Affected: 0 , ≤ 0.1.0.8 (custom)
        cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Date Public
    2026-04-28 13:51
    Credits
    Majed Refaea | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:52:06.215Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "instawp_connect",
                "vendor": "instawp",
                "versions": [
                  {
                    "lessThanOrEqual": "0.1.0.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-25918",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-03T18:20:34.759427Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-27T13:47:37.565Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "instawp-connect",
              "product": "InstaWP Connect",
              "vendor": "InstaWP",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.1.0.9",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "0.1.0.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Majed Refaea | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-28T13:51:17.294Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in InstaWP InstaWP Connect instawp-connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.8.\u003c/p\u003e"
                }
              ],
              "value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:13.413Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.8 - Remote Code Execution vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-25918",
        "datePublished": "2024-04-03T12:11:07.587Z",
        "dateReserved": "2024-02-12T08:35:07.534Z",
        "dateUpdated": "2026-04-28T16:09:13.413Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-23507 (GCVE-0-2024-23507)

    Vulnerability from cvelistv5 – Published: 2024-01-31 11:52 – Updated: 2026-05-11 20:52
    VLAI
    Title
    WordPress InstaWP Connect plugin <= 0.1.0.9 - SQL Injection vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    InstaWP InstaWP Connect Affected: 0 , ≤ 0.1.0.9 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:23
    Credits
    Majed Refaea | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:25.223Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23507",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-30T18:29:58.574159Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T20:52:18.678Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "instawp-connect",
              "product": "InstaWP Connect",
              "vendor": "InstaWP",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.1.0.10",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "0.1.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Majed Refaea | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:23:22.869Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in InstaWP InstaWP Connect instawp-connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.9.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.9."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:09.692Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.9 - SQL Injection vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-23507",
        "datePublished": "2024-01-31T11:52:25.115Z",
        "dateReserved": "2024-01-17T18:18:14.980Z",
        "dateUpdated": "2026-05-11T20:52:18.678Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-23506 (GCVE-0-2024-23506)

    Vulnerability from cvelistv5 – Published: 2024-01-26 23:19 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress InstaWP Connect plugin <= 0.1.0.9 - Sensitive Data Exposure vulnerability
    Summary
    Insertion of Sensitive Information Into Sent Data vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    Impacted products
    Vendor Product Version
    InstaWP InstaWP Connect Affected: 0 , ≤ 0.1.0.9 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:23
    Credits
    Majed Refaea | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:06:24.786Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sensitive-data-exposure-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23506",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-23T19:47:13.011569Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-23T19:47:23.508Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "instawp-connect",
              "product": "InstaWP Connect",
              "vendor": "InstaWP",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "0.1.0.10",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "0.1.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Majed Refaea | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:23:22.835Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insertion of Sensitive Information Into Sent Data vulnerability in InstaWP InstaWP Connect instawp-connect.\u003cp\u003eThis issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.9.\u003c/p\u003e"
                }
              ],
              "value": "Insertion of Sensitive Information Into Sent Data vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through \u003c= 0.1.0.9."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:09.721Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-9-sensitive-data-exposure-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress InstaWP Connect plugin \u003c= 0.1.0.9 - Sensitive Data Exposure vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-23506",
        "datePublished": "2024-01-26T23:19:52.248Z",
        "dateReserved": "2024-01-17T18:18:14.980Z",
        "dateUpdated": "2026-04-28T16:09:09.721Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-3956 (GCVE-0-2023-3956)

    Vulnerability from cvelistv5 – Published: 2023-07-27 06:54 – Updated: 2026-04-08 16:50
    VLAI
    Title
    InstaWP Connect <= 0.0.9.18 - Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver
    Summary
    The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.660Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includes/class-instawp-rest-apis.php#L103"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3956",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-05T18:40:10.626463Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-05T19:38:35.811Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "InstaWP Connect \u2013 1-click WP Staging \u0026 Migration",
              "vendor": "instawp",
              "versions": [
                {
                  "lessThanOrEqual": "0.0.9.18",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the \u0027events_receiver\u0027 function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:50:20.436Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includes/class-instawp-rest-apis.php#L103"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-07-22T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2023-07-22T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2023-07-26T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "InstaWP Connect \u003c= 0.0.9.18 - Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-3956",
        "datePublished": "2023-07-27T06:54:14.804Z",
        "dateReserved": "2023-07-26T17:41:07.986Z",
        "dateUpdated": "2026-04-08T16:50:20.436Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }