Critical WordPress Plugin Flaw Exposes Sites to File Inclusion Attacks
A critical security flaw has been uncovered in the widely-used InstaWP Connect WordPress plugin, putting thousands of websites at risk of remote exploitation.
Researchers at Wordfence identified the vulnerability, tracked as CVE-2025-2636, which enables unauthenticated attackers to execute arbitrary code on vulnerable websites. The flaw has been assigned a CVSS score of 9.8, indicating maximum severity, and immediate updates are strongly recommended for all users.
InstaWP Connect Plugin – LFI Vulnerability Overview
This Local File Inclusion (LFI) vulnerability impacts all versions up to and including 0.1.0.85 of the InstaWP Connect plugin. The flaw originates in the plugin’s database management component, specifically through improper input validation on the instawp-database-manager parameter.
Technically classified as CWE-73: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), the issue allows remote attackers to include and execute arbitrary files on the server — all without authentication.
InstaWP Connect is a companion plugin designed to integrate WordPress sites with the InstaWP platform for staging, development, and migration purposes. However, the plugin fails to adequately sanitize user input before passing it to PHP functions, creating a severe attack surface.
Discovered by security researcher Cheng Liu, the vulnerability can be exploited via a crafted HTTP request that triggers the LFI condition, potentially resulting in full server compromise. Key risks include:
- No authentication required
- Remote exploitability
- Potential full server control
Administrators are urged to patch immediately to prevent exploitation.
The summary of the vulnerability is given below:
| Risk Factors | Details |
| Affected Products | InstaWP Connect Plugin for WordPress (versions <= 0.1.0.85) |
| Impact | – Include and execute arbitrary PHP files- Bypass access controls- Obtain sensitive data- Achieve code execution |
| Exploit Prerequisites | No authentication required; remote exploitation possible |
| CVSS 3.1 Score | 9.8 (Critical) |
Impact on WordPress Sites
This vulnerability poses a serious threat, enabling attackers to bypass access controls, extract sensitive information such as database credentials, and execute arbitrary code on the server.
In environments where file uploads are allowed—even for seemingly harmless file types like images—attackers could upload PHP payloads disguised as legitimate files, then leverage the LFI flaw to trigger their execution.
According to intelligence from VulDB, the estimated exploit price ranges from $0 to $5,000, suggesting a relatively low barrier to exploitation.
The CVSS v3.1 vector confirms that the attack is network-based, requires low complexity, and demands no privileges or user interaction, making it highly accessible to attackers.
Website administrators using InstaWP Connect are strongly advised to upgrade to version 0.1.0.86 or later, which addresses this vulnerability. If an immediate update is not feasible, the plugin should be temporarily deactivated until a patch can be applied.
This flaw follows a series of previous vulnerabilities in the plugin, including authentication bypass issues in versions 0.1.0.44 and 0.1.0.38, underscoring the critical need for regular plugin updates.
Security experts stress the severity of unauthenticated LFI vulnerabilities, as they may result in complete site compromise without requiring any user credentials.
To bolster protection, site owners are also urged to deploy a Web Application Firewall (WAF) as a proactive defense measure against similar attacks.
Post Comment