CVE-2024-4898 PoC — WordPress plugin InstaWP Connect 安全漏洞

Source

Associated Vulnerability

Description

CVE-2024-4898 InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation

Readme

# CVE-2024-4898-Poc
CVE-2024-4898 InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/instawp-connect/instawp-connect-1-click-wp-staging-migration-01038-missing-authorization-to-unauthenticated-api-setuparbitrary-options-updateadministrative-user-creation

File: wp-content/plugins/instawp-connect/includes/class-instawp-rest-api.php
![image](https://github.com/truonghuuphuc/CVE-2024-4898-Poc/assets/20487674/d6287d11-bf9d-4cb9-9dc6-7c49904d7757)
![image](https://github.com/truonghuuphuc/CVE-2024-4898-Poc/assets/20487674/23e2517f-9c56-4ca7-91f7-0111d5416f41)
![image](https://github.com/truonghuuphuc/CVE-2024-4898-Poc/assets/20487674/b34e0d39-163e-46ce-881f-119aa20d535c)

File: wp-content/plugins/instawp-connect/includes/class-instawp-tools.php
![image](https://github.com/truonghuuphuc/CVE-2024-4898-Poc/assets/20487674/4962fb44-6c21-4e57-ba66-182479444401)

## Poc:
Create user role Administrator

Create api key: https://app.instawp.io/user/api-tokens
![image](https://github.com/truonghuuphuc/CVE-2024-4898-Poc/assets/20487674/3dfe5d78-5311-4a8a-8d13-ad2363ea9925)

https://github.com/truonghuuphuc/CVE-2024-4898-Poc/assets/20487674/01be7c07-1894-4e70-9966-5ba7dce1fd2a

File Snapshot

 [4.0K]  /data/pocs/797f378c4206ea580a3b4a5d97ddc277e5f7eaf6
├── [1.0K]  CVE-2024-4898
├── [1.1M]  instawp-connect.0.1.0.38.zip
└── [1.3K]  README.md

1 directory, 3 files

Remarks