CVE-2023-3956

Name of the Vulnerable Software and Affected Versions InstaWP Connect plugin for WordPress versions up to, and including, 0.0.9.18

Description The issue allows unauthorized access, modification, and loss of data due to a missing capability check on the events receiver function. This enables unauthenticated attackers to perform various actions, including adding, modifying, or deleting posts and taxonomy, installing, activating, or deactivating plugins, changing customizer settings, and adding, modifying, or deleting users, including administrator users.

Recommendations For InstaWP Connect plugin for WordPress versions up to, and including, 0.0.9.18, update to a version higher than 0.0.9.18 to resolve the issue. As a temporary workaround, consider disabling the events receiver function until a patch is available. Restrict access to sensitive features and settings to minimize the risk of exploitation.