8 results (0.008 seconds)

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-37228 – WordPress InstaWP Connect plugin <= 0.1.0.38 - Arbitrary File Upload vulnerability

https://notcve.org/view.php?id=CVE-2024-37228

Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.38. The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2

CVE-2024-4898 – InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation

https://notcve.org/view.php?id=CVE-2024-4898

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts. El complemento InstaWP Connect – 1-click WP Staging &amp; Migration para WordPress es vulnerable a actualizaciones de opciones arbitrarias debido a la falta de controles de autorización en las llamadas a la API REST en todas las versiones hasta la 0.1.0.38 incluida. Esto hace posible que atacantes no autenticados conecten el sitio a la API de InstaWP, editen opciones arbitrarias del sitio y creen cuentas de administrador. • https://github.com/truonghuuphuc/CVE-2024-4898-Poc https://github.com/cve-2024/CVE-2024-4898-Poc https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926 https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve • CWE-862: Missing Authorization •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-32701 – WordPress InstaWP Connect plugin <= 0.1.0.24 - Broken Access Control vulnerability

https://notcve.org/view.php?id=CVE-2024-32701

Missing Authorization vulnerability in InstaWP Team InstaWP Connect.This issue affects InstaWP Connect: from n/a through 0.1.0.24. Vulnerabilidad de autorización faltante en InstaWP Team InstaWP Connect. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.24. The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in versions up to, and including, 0.1.0.24. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-24-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •

CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-25918 – WordPress InstaWP Connect plugin <= 0.1.0.8 - Auth. Remote Code Execution (RCE) vulnerability

https://notcve.org/view.php?id=CVE-2024-25918

Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.8. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en InstaWP Team InstaWP Connect permite la inyección de código. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.8. The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.1.0.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-23507 – WordPress InstaWP Connect Plugin <= 0.1.0.9 is vulnerable to SQL Injection

https://notcve.org/view.php?id=CVE-2024-23507

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en InstaWP Team InstaWP Connect – 1-click WP Staging &amp; Migration. Este problema afecta a InstaWP Connect – 1-click WP Staging &amp; Migration: desde n/a hasta 0.1.0.9. The InstaWP Connect plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 0.1.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •