A severe security vulnerability has been identified in the InstaWP Connect WordPress plugin, posing a significant risk to websites using this tool. The vulnerability, tracked as CVE-2025-2636, is an unauthenticated Local PHP File Inclusion flaw that could allow attackers to gain complete control over affected websites.
InstaWP Connect is a WordPress plugin developed by the InstaWP team to facilitate WordPress staging and migration. It functions as a companion tool for InstaWP, a platform that enables users to create WordPress websites for various purposes, including testing plugins and themes, product demos, and client project delivery. The plugin is actively used on over 20,000 websites.
The vulnerability resides in the βinstawp-database-managerβ parameter of the InstaWP Connect plugin. It affects all versions of the plugin up to and including 0.1.0.85. This local file inclusion flaw enables unauthenticated attackers to include and execute arbitrary files on the server.
Successful exploitation of this vulnerability can have devastating consequences. Attackers could:
Bypass access controlsObtain sensitive dataAchieve code executionIn scenarios where attackers can upload seemingly harmless files, such as images, they can then include and execute them to gain control of the web server.
The InstaWP team has released a patched version of the plugin, version 0.1.0.86, to address this vulnerability. Users are strongly advised to update to this version immediately to protect their websites from potential attacks.