CVE-2025-2636 Scanner
CVE-2025-2636 Scanner - Local File Inclusion vulnerability in InstaWP Connect
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
8 days 4 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
InstaWP Connect is a WordPress plugin that simplifies staging site creation and migration through 1-click tools. Designed for developers and site administrators, it enables users to instantly spin up staging environments, migrate sites, and debug issues using InstaWP’s infrastructure. The plugin integrates tightly with the InstaWP platform and is often used in production workflows, particularly for development or testing purposes. It is also a core utility in many WordPress site maintenance toolkits, thanks to its automation features and user-friendly interface.
In versions up to and including 0.1.0.85, InstaWP Connect suffers from a critical **Local File Inclusion (LFI)** vulnerability in the `instawp-database-manager` parameter. This flaw allows unauthenticated attackers to include arbitrary PHP files from the local filesystem. An attacker can exploit this by manipulating the URL and providing path traversal sequences to reach and execute internal PHP files. This can lead to arbitrary code execution if the included file contains executable PHP, posing a severe threat to site integrity and server security.
The vulnerability stems from the failure to properly sanitize user input in the `instawp-database-manager` GET parameter. This parameter is meant to interact with database management templates but lacks directory traversal protection. A crafted request can access sensitive files like `migrate/templates/debug/db-table`, potentially exposing database content or enabling code execution. Since the plugin runs with web server privileges, a successful exploit may allow complete site takeover.
Attackers exploiting this vulnerability can gain access to WordPress user credentials, plugin configurations, and other critical site data. They could escalate privileges, implant web shells, or pivot to internal network systems. The LFI may also allow attackers to analyze server-side source code, increasing the risk of further exploitation. Due to its unauthenticated nature and potential for remote code execution, the vulnerability is classified as **Critical** and assigned a CVSS score of 9.8.
REFERENCES
