CVE-2024-25918 – WordPress InstaWP Connect plugin <= 0.1.0.8 - Auth. Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-25918
Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.8. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en InstaWP Team InstaWP Connect permite la inyección de código. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.8. The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.1.0.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •
CVE-2024-23507 – WordPress InstaWP Connect Plugin <= 0.1.0.9 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2024-23507
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en InstaWP Team InstaWP Connect – 1-click WP Staging & Migration. Este problema afecta a InstaWP Connect – 1-click WP Staging & Migration: desde n/a hasta 0.1.0.9. The InstaWP Connect plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 0.1.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-23506 – WordPress InstaWP Connect Plugin <= 0.1.0.9 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2024-23506
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9. Vulnerabilidad de exposición de información confidencial a un actor no autorizado en InstaWP Team InstaWP Connect – 1-click WP Staging & Migration. Este problema afecta a InstaWP Connect – 1-click WP Staging & Migration: desde n/a hasta 0.1.0.9. The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in all versions up to, and including, 0.1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive information. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVE-2024-22145 – WordPress InstaWP Connect plugin <= 0.1.0.8 - Arbitrary Option Update to Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2024-22145
Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8. Vulnerabilidad de gestión de privilegios incorrecta en InstaWP Team InstaWP Connect permite la escalada de privilegios. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.8. The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_management_settings function in all versions up to, and including, 0.1.0.8. This makes it possible for authenticated attackers, with subscriber access and above, to modify • https://github.com/RandomRobbieBF/CVE-2024-22145 https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •
CVE-2023-3956 – InstaWP Connect <= 0.0.9.18 - Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver
https://notcve.org/view.php?id=CVE-2023-3956
The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user. El plugin InstaWP Connect para WordPress es vulnerable al acceso no autorizado de datos, modificación de datos y pérdida de datos debido a una comprobación de capacidad faltante en la función "events_receiver" en versiones hasta la 0.0.9.18 inclusive. Esto hace posible que atacantes no autenticados añadan, modifiquen o eliminen entradas y taxonomías, instalen, activen o desactiven el plugin, cambien la configuración del personalizador y añadan, modifiquen o eliminen usuarios incluyendo el usuario administrador. • https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includes/class-instawp-rest-apis.php#L103 https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5 https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b?source=cve • CWE-862: Missing Authorization •