CVE-2024-4898 Scanner

The InstaWP Connect plugin for WordPress is widely used by web developers and site administrators for the purpose of migrating and staging WordPress sites. It facilitates a seamless one-click staging and migration process, making it extremely popular among users who manage multiple WordPress sites. Its user-friendly design allows individuals to easily duplicate, transfer, or clone WordPress sites without needing advanced technical skills. With its integration with the WordPress REST API, the plugin is especially favored by those who require rapid deployment of websites or environments for testing and development purposes. The plugin streamlines the workflow of managing WordPress installations, thus enhancing productivity.

The vulnerability detected in the InstaWP Connect plugin stems from missing authorization checks in the REST API calls. This oversight allows unauthenticated attackers the ability to connect the website to the InstaWP API. As a result, unauthorized users can edit arbitrary site options and create administrator accounts without proper verification. Due to the ease of access provided by this flaw, there is a significant risk to the integrity and security of WordPress-managed sites using this plugin. As the vulnerability affects versions up to 0.1.0.38, users are strongly advised to update to a patched version.

Technical details of this vulnerability highlight the insecure management of REST API endpoints, specifically at the point where user creation is handled. The lack of authorization checks before permitting connection to the InstaWP API is the primary flaw. The vulnerable parameter is the 'api_key', which, when manipulated by an attacker, permits the unauthorized addition of administrator accounts. By exploiting this vulnerability, attackers can bypass standard security protocols and gain high-level access to WordPress installations.

When exploited, this vulnerability potentially allows malicious users to take control of a WordPress site, leading to severe consequences. Administrative accounts created by attackers can result in unauthorized modifications to site content, deletion of critical files, installation of malware, or launching further attacks on the server. Such exploitation not only compromises site functionality but also endangers user data and can significantly damage the reputation of affected websites.

REFERENCES

• https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve
• https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926
• https://nvd.nist.gov/vuln/detail/CVE-2024-4898
• https://github.com/truonghuuphuc/CVE-2024-4898-Poc