CVE-2024-13913
📋 TL;DR
This CSRF vulnerability in the InstaWP Connect WordPress plugin allows unauthenticated attackers to execute arbitrary PHP code on affected servers by including malicious files. Attackers can bypass access controls, steal sensitive data, or achieve full server compromise. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- InstaWP Connect – 1-click WP Staging & Migration WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover through arbitrary code execution, leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Unauthorized file inclusion leading to sensitive data exposure, privilege escalation, or website defacement.
If Mitigated
Limited impact if proper file upload restrictions and server hardening are in place, though CSRF protection bypass remains possible.
🎯 Exploit Status
Exploitation requires CSRF attack vector and ability to upload/include malicious files. No authentication needed for initial attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 0.1.0.83
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3254817/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Check if update is available for InstaWP Connect. 4. Click 'Update Now' if update available. 5. Verify plugin version is above 0.1.0.83.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the InstaWP Connect plugin until patched
wp plugin deactivate instawp-connect
Implement CSRF protection
allAdd custom nonce validation to vulnerable endpoints
🧯 If You Can't Patch
- Restrict file upload capabilities to prevent malicious file inclusion
- Implement web application firewall rules to block suspicious file inclusion requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → InstaWP Connect version. If version is 0.1.0.83 or lower, system is vulnerable.Check Version:
wp plugin get instawp-connect --field=versionVerify Fix Applied:
Verify plugin version is above 0.1.0.83 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file inclusion requests to /migrate/templates/main.php
- CSRF attempts with missing nonce parameters
- Unexpected PHP file execution in plugin directory
Network Indicators:
- POST requests to vulnerable endpoints without proper referrer headers
- File upload attempts with PHP extensions
SIEM Query:
source="wordpress.log" AND ("main.php" OR "instawp-connect") AND ("include" OR "require" OR "file_get_contents")🔗 References
- https://plugins.trac.wordpress.org/browser/instawp-connect/trunk/admin/class-instawp-admin.php#L159
- https://plugins.trac.wordpress.org/browser/instawp-connect/trunk/migrate/templates/main.php#L27
- https://plugins.trac.wordpress.org/changeset/3254817/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ea6c7b63-00da-4476-a024-97fe99af643d?source=cve
