CVE-2024-4898

CRITICAL EXPLOITED NUCLEI

Instawp Connect < 0.1.0.39 - Missing Authorization

Title source: rule

Description

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.

Exploits (4)

nomisec WRITEUP

by cve-2024 · remote

https://github.com/cve-2024/CVE-2024-4898-Poc

View Code ZIP pw:eip

nomisec WRITEUP

by gh-ost00 · poc

https://github.com/gh-ost00/CVE-2024-4898

View Code ZIP pw:eip

vulncheck_xdb

remote-auth

https://github.com/truonghuuphuc/CVE-2024-4898-Poc

View on vulncheck_xdb

inthewild

poc

https://github.com/truonghuuphuc/cve-2024-4898-poc

View on inthewild

Nuclei Templates (1)

WordPress InstaWP Connect <= 0.1.0.38 - Unauthenticated User Creation

CRITICALby Sourabh-Sahu

FOFA: body="/wp-content/plugins/instawp-connect/"

References (2)

[Patch] https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve

Scores

CVSS v3 9.8

EPSS 0.9011

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-06-12

CWE

CWE-862

Status published

Products (2)

instawp/instawp_connect < 0.1.0.39

instawp/InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.38

Published Jun 12, 2024

Tracked Since Feb 18, 2026