What is the vulnerability affecting the InstaWP Connect WordPress plugin?

A critical vulnerability tracked as CVE-2025-2636 with a CVSS score of 9.8 has been reported in the InstaWP Connect WordPress plugin. It is classified as a Local File Inclusion (LFI) vulnerability.

How does the vulnerability work?

The flaw exists in the 'instawp-database-manager' parameter, which enables unauthenticated attackers to include and execute arbitrary PHP files on the server through path traversal.

What actions should WordPress administrators take?

WordPress administrators are strongly advised to check their plugin versions immediately and upgrade to version 0.1.0.86 or later patched releases.

How severe is this vulnerability?

This vulnerability has been assigned a CVSS score of 9.8, which is classified as Critical, indicating the highest level of severity.

Do attackers need to be authenticated to exploit this vulnerability?

No, this is an unauthenticated vulnerability, meaning attackers do not need to have any login credentials to exploit it.

What is a Local File Inclusion (LFI) vulnerability?

A Local File Inclusion (LFI) vulnerability allows attackers to include files that exist on the target server through the web browser. This can expose sensitive information or lead to remote code execution if the attacker can manipulate the content of included files.

Advisory

Critical flaw reported in InstaWP Connect WordPress plugin

Q: What are the potential consequences of this vulnerability?

Exploitation of this vulnerability could lead to unauthorized access to sensitive website data and complete website compromise.

published: April 22, 2025

Take action: If you have installed InstaWP Connect WordPress plugin, update it NOW. The update is trivial, and it's much easier to update a plugin and sleep easy than to worry whether you can be hacked.

Learn More

A critical vulnerability is reported in the InstaWP Connect WordPress plugin.

The vulnerability is tracked as CVE-2025-2636 (CVSS score 9.8) - Classified as a Local File Inclusion (LFI) vulnerability that affects InstaWP Connect versions up to and including 0.1.0.85. The flaw exists in the 'instawp-database-manager' parameter, enabling unauthenticated attackers to include and execute arbitrary PHP files on the server through path traversal.

The exploitation of this vulnerability could lead to unauthorized access to sensitive website data and complete website compromise

All versions of the InstaWP Connect plugin up to and including 0.1.0.85 are vulnerable. WordPress administrators are strongly advised to check their plugin versions immediately.

Website administrators should upgrade to version 0.1.0.86 or later patched releases.

Critical flaw reported in InstaWP Connect WordPress plugin

Read More
Case Theme User WordPress plugin flaw enables authentication …
Active exploitation of critically vulnerable WordPress Motors theme
Critical File Upload Vulnerability Reported in Ninja Forms …
WordPress releases version 6.4.2, advising update because of …
Crawlomatic Multipage Scraper post generator allows unauthorized file …