CVE-2024-13913

Name of the Vulnerable Software and Affected Versions: InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress versions up to, and including, 0.1.0.83

Description: The issue is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file, making it possible for unauthenticated attackers to include and execute arbitrary files on the server. This allows the execution of any PHP code in those files, which can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Recommendations: For versions up to, and including, 0.1.0.83, update to a version that includes proper nonce validation to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the '/migrate/templates/main.php' file to minimize the risk of exploitation.