CVE-2024-25918 – This vulnerability allows attackers to upload m... (How to Fix)

Q: What is the severity of CVE-2024-25918?

CVE-2024-25918 has a CVSS score of 9.9 (CRITICAL). This vulnerability allows attackers to upload malicious files to WordPress sites running the InstaWP Connect plugin, leading to remote code execution. It affects all WordPress installations using vulnerable versions of the InstaWP Connect plugin. Attackers can gain full control of affected websites.

📋 TL;DR

This vulnerability allows attackers to upload malicious files to WordPress sites running the InstaWP Connect plugin, leading to remote code execution. It affects all WordPress installations using vulnerable versions of the InstaWP Connect plugin. Attackers can gain full control of affected websites.

💻 Affected Systems

Products:

InstaWP Connect WordPress Plugin

Versions: All versions up to and including 0.1.0.8

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the vulnerable plugin activated. No special configuration required.

📦 What is this software?

Instawp Connect by Instawp

View all CVEs affecting Instawp Connect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the WordPress site, allowing attackers to execute arbitrary code, steal data, deface the site, install backdoors, and pivot to other systems.

🟠

Likely Case

Remote code execution leading to website takeover, data theft, malware distribution, or cryptocurrency mining.

🟢

If Mitigated

Limited impact if file uploads are restricted via web application firewall or other controls, though risk remains high.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attackers can upload malicious files without authentication. Public proof-of-concept exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.0.9 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find InstaWP Connect and update to version 0.1.0.9 or later. 4. Alternatively, disable and remove the plugin if not needed.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the InstaWP Connect plugin until patched

wp plugin deactivate instawp-connect

Restrict File Uploads via WAF

all

Configure web application firewall to block suspicious file uploads

🧯 If You Can't Patch

Remove the InstaWP Connect plugin completely from your WordPress installation
Implement strict file upload restrictions at the web server level (e.g., .htaccess rules for Apache)

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > InstaWP Connect version. If version is 0.1.0.8 or earlier, you are vulnerable.

Check Version:

wp plugin get instawp-connect --field=version

Verify Fix Applied:

Verify plugin version is 0.1.0.9 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to WordPress uploads directory
POST requests to upload endpoints with suspicious file extensions
Execution of unexpected PHP files

Network Indicators:

HTTP POST requests to /wp-content/plugins/instawp-connect/ upload endpoints
Uploads of files with double extensions like .php.jpg

SIEM Query:

source="web_server" AND (uri_path="/wp-content/plugins/instawp-connect/" AND method="POST") OR (file_extension="php" AND upload="true")

📊 Metadata

CVE ID: CVE-2024-25918

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

Published: April 3, 2024

Last Updated: February 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25918, you might also want to check these: