Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-13913

CVE-2024-13913: InstaWP Connect CSRF Vulnerability

CVE-2024-13913 is a Cross-Site Request Forgery flaw in InstaWP Connect plugin for WordPress that enables unauthenticated attackers to execute arbitrary PHP code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-13913 Overview

CVE-2024-13913 affects the InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress in all versions up to and including 0.1.0.83. The vulnerability is a Cross-Site Request Forgery (CSRF) flaw [CWE-352] caused by missing or incorrect nonce validation in the /migrate/templates/main.php file. Attackers can trick authenticated administrators into triggering requests that include and execute arbitrary files on the server. This local file inclusion path enables execution of any PHP code present in those files. The flaw can be abused to bypass access controls, exfiltrate sensitive data, or achieve remote code execution when image and other "safe" file uploads are weaponized.

Critical Impact

Unauthenticated attackers can leverage CSRF to include and execute arbitrary PHP files on vulnerable WordPress installations, leading to full site compromise.

Affected Products

  • InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress
  • All versions up to and including 0.1.0.83
  • WordPress sites with the plugin installed and activated

Discovery Timeline

  • 2025-03-14 - CVE-2024-13913 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-13913

Vulnerability Analysis

The vulnerability resides in the InstaWP Connect plugin's migration template handler at /migrate/templates/main.php. The handler accepts request parameters that drive a PHP include operation without enforcing a valid WordPress nonce. Because nonce validation is absent or incorrect, the action can be invoked through forged cross-origin requests.

An attacker crafts a malicious page or link that issues the migration request when visited by an authenticated administrator. The request causes the plugin to include an attacker-controlled file path on the server, leading to PHP execution within the WordPress process context. The combination of CSRF and file inclusion turns a client-side trust failure into server-side code execution.

This class of issue is particularly impactful on WordPress because the media library and plugin upload paths allow files that contain PHP payloads to be staged under "safe" extensions. Once staged, the file inclusion sink executes their contents.

Root Cause

The root cause is missing or incorrect nonce validation in /migrate/templates/main.php. WordPress requires nonces (via wp_verify_nonce or check_admin_referer) to bind sensitive state-changing requests to a user session. Their absence allows cross-site request forgery against the file inclusion logic.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker lures a logged-in administrator to a malicious site that auto-submits a forged request to the vulnerable endpoint. The plugin then includes and executes the referenced PHP file, achieving code execution under the web server's privileges. Refer to the WordPress Plugin Migration Template and the Wordfence Vulnerability Report for additional technical detail.

No verified public exploit code is available; the vulnerability mechanism is documented in the upstream plugin source.

Detection Methods for CVE-2024-13913

Indicators of Compromise

  • Unexpected PHP files staged in wp-content/uploads/ or media directories, particularly files masquerading as images with embedded PHP payloads.
  • Web server access logs showing requests to /wp-content/plugins/instawp-connect/migrate/templates/main.php with file path parameters.
  • Modifications to WordPress core, theme, or plugin files made by the web server user shortly after administrator browsing activity.
  • New administrator accounts or unexpected scheduled tasks (wp_cron) created without authorized change records.

Detection Strategies

  • Audit installed WordPress plugins and flag any InstaWP Connect version at or below 0.1.0.83.
  • Inspect HTTP referrers on requests to InstaWP migration endpoints; cross-origin referrers paired with administrator sessions warrant investigation.
  • Hunt for PHP execution originating from upload directories using process and file telemetry on the WordPress host.

Monitoring Recommendations

  • Forward WordPress and web server logs to a centralized analytics platform and alert on migrate/templates/main.php requests.
  • Monitor outbound network connections from the PHP worker process for unexpected destinations indicating post-exploitation activity.
  • Track file integrity for WordPress core and plugin directories; alert on writes by the web server user outside of update windows.

How to Mitigate CVE-2024-13913

Immediate Actions Required

  • Update the InstaWP Connect plugin to a version newer than 0.1.0.83 that incorporates the fix from WordPress Changeset 3254817.
  • If an update is not immediately possible, deactivate and remove the plugin until patched.
  • Force re-authentication of administrators and rotate WordPress secret keys (wp-config.php salts) on potentially affected sites.
  • Review user accounts, uploaded files, and scheduled tasks for signs of post-exploitation activity.

Patch Information

The plugin authors addressed the missing nonce validation in WordPress Changeset 3254817. Site operators should install the patched version through the WordPress plugin updater or via WP-CLI. Additional context is available in the Wordfence Vulnerability Report.

Workarounds

  • Restrict access to /wp-admin/ and plugin endpoints using IP allow-listing at the web server or WAF tier.
  • Deploy a web application firewall rule blocking unauthenticated requests to wp-content/plugins/instawp-connect/migrate/templates/main.php.
  • Disable PHP execution in wp-content/uploads/ via web server configuration to limit file inclusion impact.
  • Require administrators to use isolated browsers or sessions when managing WordPress, reducing CSRF exposure from other browsing activity.
bash
# Apache: disable PHP execution in uploads directory
# Place in wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phar)$">
    Require all denied
</FilesMatch>

# Nginx: equivalent location block
location ~* /wp-content/uploads/.*\.ph(p[3457]?|tml|ar)$ {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne