CVE-2024-6397

Name of the Vulnerable Software and Affected Versions InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress versions up to, and including, 0.1.0.44

Description The issue is due to insufficient verification of the API key, allowing unauthenticated attackers to log in as any existing user, such as an administrator, if they have access to the username. This enables them to perform various administrative tasks. The vulnerability was partially fixed in version 0.1.0.44 but remained exploitable via Cross-Site Request Forgery.

Recommendations For versions up to, and including, 0.1.0.44, consider disabling the API key verification temporarily until a complete fix is available. Restrict access to administrative tasks to minimize the risk of exploitation. Avoid using the API key for authentication until the issue is fully resolved. As a temporary workaround, monitor for Cross-Site Request Forgery attempts and implement additional security measures to prevent such attacks.