CVE-2025-2636

HIGH EPSS 95.1%
Published Apr 11, 20251y ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Apr 11, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file types can be uploaded and included, or are already present on the filesystem locally. There are currently no known vulnerabilities in this plugin that make file upload possible, meaning this won't be exploitable to achieve remote code execution on most instances with just this plugin alone. Another vulnerability would need to be present on the site allowing arbitrary file upload in order to leverage this to achieve remote code execution.

CVSS Details

Base Score
8.1
Exploitability
2.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
95.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

References 3

  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/instawp-connect/trunk/includes/database-manager/loader.php#L77
  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset/3269681/
  • wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/4c8f2c6f-c231-477c-895b-df892569ef95?source=cve

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.