CVE-2024-4898

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.
Configurations

Configuration 1 (hide)

cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 09:43

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926 - Patch () https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926 - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve - Third Party Advisory

23 Jul 2024, 17:50

Type Values Removed Values Added
CWE CWE-862
References () https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926 - () https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926 - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve - Third Party Advisory
CPE cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:*
First Time Instawp
Instawp instawp Connect

13 Jun 2024, 18:36

Type Values Removed Values Added
Summary
  • (es) El complemento InstaWP Connect – 1-click WP Staging & Migration para WordPress es vulnerable a actualizaciones de opciones arbitrarias debido a la falta de controles de autorización en las llamadas a la API REST en todas las versiones hasta la 0.1.0.38 incluida. Esto hace posible que atacantes no autenticados conecten el sitio a la API de InstaWP, editen opciones arbitrarias del sitio y creen cuentas de administrador.

12 Jun 2024, 11:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-12 11:15

Updated : 2024-11-21 09:43


NVD link : CVE-2024-4898

Mitre link : CVE-2024-4898

CVE.ORG link : CVE-2024-4898


JSON object : View

Products Affected

instawp

  • instawp_connect
CWE
CWE-862

Missing Authorization