CVE-2024-22145: 
WordPress vulnerability analysis and mitigation

The InstaWP Connect WordPress plugin contains an Improper Privilege Management vulnerability (CVE-2024-22145) that was discovered in versions up to 0.1.0.8. The vulnerability was first reported on January 10, 2024, and publicly disclosed on January 15, 2024. This security issue affects the InstaWP Connect plugin, which is used for WP Staging & Migration functionality (Patchstack).

The vulnerability stems from a missing capability check in the save_management_settings function, which allows for unauthorized modification of data. It has been assigned a CVSS v3.1 score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified under CWE-269 (Improper Privilege Management) and affects authenticated users with subscriber-level access and above (WPScan).

The vulnerability allows authenticated attackers with subscriber-level access or higher to modify arbitrary options in the WordPress installation. This could potentially lead to privilege escalation, enabling attackers to gain higher privileges and potentially take full control of the affected website (Patchstack).

Site administrators are strongly advised to update to version 0.1.0.9 or later, which contains the fix for this vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).