CVE-2024-6397 – The InstaWP Connect WordPress plugin has an aut... (How to Fix)

Q: What is the severity of CVE-2024-6397?

CVE-2024-6397 has a CVSS score of 9.8 (CRITICAL). The InstaWP Connect WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to log in as any existing user, including administrators, if they know the username. This affects all versions up to and including 0.1.0.44 due to insufficient API key verification. Any WordPress site using this vulnerable plugin is at risk.

📋 TL;DR

The InstaWP Connect WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to log in as any existing user, including administrators, if they know the username. This affects all versions up to and including 0.1.0.44 due to insufficient API key verification. Any WordPress site using this vulnerable plugin is at risk.

💻 Affected Systems

Products:

InstaWP Connect – 1-click WP Staging & Migration

Versions: All versions up to and including 0.1.0.44

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: WordPress sites with the plugin installed and activated are vulnerable by default.

📦 What is this software?

Instawp Connect by Instawp

View all CVEs affecting Instawp Connect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover by attackers who can install backdoors, steal data, deface the site, or use it for further attacks.

🟠

Likely Case

Administrative account compromise leading to unauthorized content changes, plugin/themes installation, or data exfiltration.

🟢

If Mitigated

Limited impact if strong network controls, monitoring, and user privilege restrictions are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only the target username and knowledge of the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 0.1.0.44

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3114674/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Check for updates. 4. Update InstaWP Connect to the latest version. 5. Verify the plugin version is above 0.1.0.44.

🔧 Temporary Workarounds

Disable the plugin

all

Temporarily deactivate the InstaWP Connect plugin until patched.

wp plugin deactivate instawp-connect

Restrict API access

all

Use web application firewall (WAF) rules to block requests to the vulnerable REST API endpoints.

🧯 If You Can't Patch

Disable the InstaWP Connect plugin immediately.
Implement strict network access controls and monitor for suspicious authentication attempts.

🔍 How to Verify

Check if Vulnerable:

Check the plugin version in WordPress admin under Plugins > Installed Plugins. If version is 0.1.0.44 or lower, the site is vulnerable.

Check Version:

wp plugin get instawp-connect --field=version

Verify Fix Applied:

After updating, confirm the plugin version is above 0.1.0.44 and test that unauthorized API requests are properly rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts via REST API endpoints
Multiple failed login attempts followed by successful admin login from unexpected IPs

Network Indicators:

HTTP POST requests to /wp-json/instawp-connect/v1/* endpoints from unauthenticated sources

SIEM Query:

source="wordpress.log" AND ("instawp-connect" OR "/wp-json/instawp-connect") AND (status=200 OR "authentication")

📊 Metadata

CVE ID: CVE-2024-6397

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: July 11, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6397, you might also want to check these: