Skip to main content

InstaWP Connect CVE-2024-37228

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-06-24 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
9.8 (CRITICAL) 10.0 (CRITICAL)
CVE Published
Jun 24, 2024 - 13:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.38.

AnalysisAI

Unrestricted file upload in the InstaWP Connect WordPress plugin (versions up to and including 0.1.0.38) allows remote unauthenticated attackers to upload dangerous file types, leading to full site compromise with scope change. The maximum CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction, though EPSS of 0.85% (75th percentile) and absence from CISA KEV indicate no public exploit identified at time of analysis.

Technical ContextAI

InstaWP Connect is a WordPress plugin (CPE cpe:2.3:a:instawp:instawp_connect for the WordPress target environment) used to clone, stage, and migrate WordPress sites between InstaWP-hosted environments and self-hosted installations. The root cause is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the plugin's upload handler fails to validate file extension, MIME type, or content before persisting attacker-supplied files into a web-accessible location. In a WordPress context, this typically permits dropping a PHP file under wp-content that the web server will then execute, converting an upload primitive into arbitrary code execution within the WordPress process.

RemediationAI

Upgrade InstaWP Connect to a version later than 0.1.0.38 as soon as the vendor publishes a fixed release; consult the Patchstack advisory associated with this CVE for the exact patched version, since the input data does not specify one. Until a fixed version is installed, deactivate and remove the InstaWP Connect plugin on production WordPress sites - the plugin is primarily used for migration and staging, so removal during steady-state operation has minimal functional impact. If removal is not acceptable, restrict access to the plugin's REST and admin-ajax endpoints at the web server or WAF layer (allowlist by source IP for migration windows only) and monitor wp-content for newly created PHP files; note that endpoint-level blocks can break legitimate InstaWP migration workflows and require re-enabling during planned operations.

Share

CVE-2024-37228 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy