CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2667 – InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.22 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-2667
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files. El complemento InstaWP Connect – 1-click WP Staging & Migration para WordPress es vulnerable a cargas de archivos arbitrarias debido a una validación de archivos insuficiente en el endpoint de la API REST /wp-json/instawp-connect/v1/config en todas las versiones hasta e incluida, 0.1.0.22. Esto hace posible que atacantes no autenticados carguen archivos arbitrarios. • https://github.com/Puvipavan/CVE-2024-2667 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3061039%40instawp-connect&new=3061039%40instawp-connect&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/f6aead8d-c136-4952-ad03-86fe0f144dea?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25918 – WordPress InstaWP Connect plugin <= 0.1.0.8 - Auth. Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-25918
Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.8. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en InstaWP Team InstaWP Connect permite la inyección de código. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.8. The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.1.0.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23507 – WordPress InstaWP Connect Plugin <= 0.1.0.9 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2024-23507
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en InstaWP Team InstaWP Connect – 1-click WP Staging & Migration. Este problema afecta a InstaWP Connect – 1-click WP Staging & Migration: desde n/a hasta 0.1.0.9. The InstaWP Connect plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 0.1.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23506 – WordPress InstaWP Connect Plugin <= 0.1.0.9 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2024-23506
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9. Vulnerabilidad de exposición de información confidencial a un actor no autorizado en InstaWP Team InstaWP Connect – 1-click WP Staging & Migration. Este problema afecta a InstaWP Connect – 1-click WP Staging & Migration: desde n/a hasta 0.1.0.9. The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in all versions up to, and including, 0.1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive information. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-22145 – WordPress InstaWP Connect plugin <= 0.1.0.8 - Arbitrary Option Update to Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2024-22145
Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8. Vulnerabilidad de gestión de privilegios incorrecta en InstaWP Team InstaWP Connect permite la escalada de privilegios. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.8. The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_management_settings function in all versions up to, and including, 0.1.0.8. This makes it possible for authenticated attackers, with subscriber access and above, to modify • https://github.com/RandomRobbieBF/CVE-2024-22145 https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •