9.8
CVE-2024-4898
- EPSS 4.16%
- Veröffentlicht 12.06.2024 11:15:50
- Zuletzt bearbeitet 08.04.2026 18:21:57
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginInstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation
InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.
Mögliche Gegenmaßnahme
InstaWP Connect – 1-click WP Staging & Migration: Update to version 0.1.0.39, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Instawp ≫ Instawp Connect SwPlatformwordpress Version < 0.1.0.39
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
InstaWP Connect – 1-click WP Staging & Migration
Version
*-0.1.0.38
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 4.16% | 0.896 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926
https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve
https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c