CVE-2025-2636: 
WordPress vulnerability analysis and mitigation

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in versions up to and including 0.1.0.85. The vulnerability was discovered and disclosed on April 11, 2025, and is tracked as CVE-2025-2636. This security flaw affects WordPress installations using the vulnerable versions of the InstaWP Connect plugin (NVD).

The vulnerability exists in the plugin's database manager functionality, specifically related to the 'instawp-database-manager' parameter. The flaw allows unauthenticated attackers to include and execute arbitrary files on the server, enabling the execution of any PHP code contained within those files. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (NVD).

The vulnerability can be exploited to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other 'safe' file types can be uploaded and included. This gives attackers significant control over affected WordPress installations, potentially compromising the entire website and its data (NVD).

Website administrators should immediately update the InstaWP Connect plugin to version 0.1.0.86 or later, which includes a fix for this vulnerability. The update implements proper sanitization of the 'instawp-database-manager' parameter to prevent arbitrary file inclusion (WordPress Plugin).

The security community has classified this as a critical vulnerability due to its high CVSS score and the potential for unauthenticated remote code execution. The vulnerability has gained attention in the cybersecurity community, being featured in weekly security recaps and threat intelligence reports (Hacker News).