Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.2.5.
AnalysisAI
InstaWP Connect WordPress plugin through version 0.1.2.5 permits authenticated users to access or modify resources they should not have permission to reach due to missing authorization checks. With CVSS 5.4 (authenticated network access, low complexity), EPSS 0.02%, and no confirmed public exploit code, this represents a moderate privilege escalation risk primarily affecting multi-user WordPress installations where access control segregation is important.
Technical ContextAI
InstaWP Connect is a WordPress plugin (CPE: cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:*:*:*) that facilitates WordPress site management and deployment. The vulnerability stems from CWE-862 (Missing Authorization), a class of access control flaws where the application fails to enforce proper permission boundaries between users or roles. In WordPress plugin context, this typically manifests when admin or privileged functions lack capability checks (e.g., missing current_user_can() or similar authorization verifications), allowing authenticated users with lower privileges (such as Editor or Contributor roles) to execute operations restricted to Administrators. The plugin's access control security levels are inadequately validated against the executing user's role or capabilities.
RemediationAI
Update InstaWP Connect to a version newer than 0.1.2.5 if a patched release is available from the vendor. If a patched version is not yet released, temporarily deactivate the plugin or restrict its use to trusted administrator accounts only. Review WordPress user roles and capabilities using the Roles and Capabilities plugin or WordPress built-in role settings to ensure that Editor, Contributor, and other non-Administrator roles cannot access sensitive InstaWP Connect functions. Implement additional authorization checks in any custom integrations with InstaWP Connect. Monitor the Patchstack advisory and NIST NVD page (https://nvd.nist.gov/vuln/detail/CVE-2026-39504) for patch release announcements.
More in Instawp Connect
View allThe InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to
The InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due
The InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all
The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20168
GHSA-2mpg-m27w-5p6f