CVE-2024-22145

HIGH EXPLOITED

InstaWP Connect <0.1.0.8 - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2024-22145 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including RandomRobbieBF.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-22145, which allows authenticated attackers with subscriber-level access to modify WordPress options due to a missing capability check in the InstaWP Connect plugin. The exploit demonstrates the vulnerability by enabling user registration and setting the default role to administrator.

Description

Incorrect Privilege Assignment vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.8.

Exploits (1)

nomisec WORKING POC 4 stars

by RandomRobbieBF · remote-auth

https://github.com/RandomRobbieBF/CVE-2024-22145

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-22145, which allows authenticated attackers with subscriber-level access to modify WordPress options due to a missing capability check in the InstaWP Connect plugin. The exploit demonstrates the vulnerability by enabling user registration and setting the default role to administrator.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress <= 0.1.0.8

Auth required

Prerequisites: Valid WordPress credentials (subscriber or higher) · InstaWP Connect plugin version <= 0.1.0.8 installed

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Vdb Entry vdb-entry

https://patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve

Third Party Advisory

https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve

Scores

CVSS v3 8.8

EPSS 0.0111

EPSS Percentile 61.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

VulnCheck KEV 2024-01-15

CWE

CWE-266 CWE-269

Status published

Products (2)

InstaWP/InstaWP Connect < 0.1.0.8

instawp/instawp_connect < 0.1.0.9

Published May 17, 2024

Tracked Since Feb 18, 2026