CVE-2023-3956

CRITICAL

InstaWP Connect <0.0.9.18 - Info Disclosure

Title source: llm
STIX 2.1

Description

The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user.

Scores

CVSS v3 9.8
EPSS 0.0076
EPSS Percentile 50.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-862
Status published
Products (2)
instawp/InstaWP Connect – 1-click WP Staging & Migration < 0.0.9.18
instawp/instawp_connect < 0.0.9.18
Published Jul 27, 2023
Tracked Since Feb 18, 2026