CVE-2024-2667 Overview
CVE-2024-2667 is a critical arbitrary file upload vulnerability affecting the InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress. The vulnerability exists due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This flaw makes it possible for unauthenticated attackers to upload arbitrary files to vulnerable WordPress installations, potentially leading to complete site compromise.
Critical Impact
Unauthenticated attackers can upload malicious files including PHP webshells to WordPress sites, enabling remote code execution and full server compromise without any authentication.
Affected Products
- InstaWP Connect WordPress Plugin versions up to and including 0.1.0.22
- WordPress installations using vulnerable InstaWP Connect plugin versions
- Websites utilizing InstaWP staging and migration functionality
Discovery Timeline
- May 2, 2024 - CVE-2024-2667 published to NVD
- February 6, 2025 - Last updated in NVD database
Technical Details for CVE-2024-2667
Vulnerability Analysis
This vulnerability falls under CWE-434 (Unrestricted Upload of File with Dangerous Type), representing a severe security flaw in web application file handling. The InstaWP Connect plugin exposes a REST API endpoint at /wp-json/instawp-connect/v1/config that accepts file uploads without proper authentication or file type validation.
The core issue is that the endpoint fails to verify that uploaded files are safe content types, allowing attackers to upload executable PHP files. When combined with the lack of authentication requirements, this creates a direct path for unauthenticated remote code execution. An attacker can upload a PHP webshell and then access it directly via the web server, gaining command execution capabilities on the underlying system.
Root Cause
The root cause of CVE-2024-2667 is insufficient file validation in the plugin's REST API endpoint handler. The /wp-json/instawp-connect/v1/config endpoint was designed to handle configuration data but lacked proper security controls including:
- No authentication check to verify the requester has appropriate permissions
- Missing file type validation to ensure only safe file types are processed
- Absence of content inspection to detect malicious payloads
- No restriction on executable file extensions like .php
Attack Vector
The attack vector for this vulnerability is network-based, requiring no user interaction or prior authentication. An attacker can exploit this vulnerability by:
- Identifying a WordPress site running a vulnerable version of InstaWP Connect
- Sending a crafted HTTP request to the /wp-json/instawp-connect/v1/config REST API endpoint
- Including a malicious PHP file (such as a webshell) in the upload payload
- Accessing the uploaded file directly via its web-accessible path
- Executing arbitrary commands on the server through the uploaded webshell
The vulnerability manifests in the REST API endpoint's file handling mechanism. The endpoint accepts configuration data via HTTP requests but fails to validate the content type or sanitize uploaded files. For detailed technical analysis of the exploitation mechanism, refer to the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2024-2667
Indicators of Compromise
- Unexpected PHP files in WordPress upload directories or plugin folders
- Web server access logs showing POST requests to /wp-json/instawp-connect/v1/config from unknown sources
- Presence of webshell files with suspicious names or obfuscated PHP code
- Unusual outbound network connections from the web server
- New or modified files with recent timestamps in the InstaWP Connect plugin directory
Detection Strategies
- Monitor web server logs for POST requests targeting the /wp-json/instawp-connect/v1/config endpoint
- Implement file integrity monitoring (FIM) to detect unauthorized file uploads or modifications
- Deploy web application firewall (WAF) rules to block suspicious file upload attempts
- Scan WordPress installations for known webshell signatures and malicious PHP patterns
- Review REST API access patterns for anomalous unauthenticated requests
Monitoring Recommendations
- Enable detailed logging for WordPress REST API endpoints
- Set up alerts for new file creation events in web-accessible directories
- Monitor for unusual PHP process execution or command shell spawning
- Implement network traffic analysis to detect command and control communications
- Regularly audit installed WordPress plugin versions against known vulnerability databases
How to Mitigate CVE-2024-2667
Immediate Actions Required
- Update InstaWP Connect plugin to a version newer than 0.1.0.22 immediately
- Review WordPress installations for signs of compromise or unauthorized file uploads
- Remove any suspicious PHP files found in upload directories or plugin folders
- Temporarily disable the InstaWP Connect plugin if immediate patching is not possible
- Implement WAF rules to block requests to the vulnerable endpoint until patched
Patch Information
The vulnerability has been addressed in versions released after 0.1.0.22. Administrators should update to the latest available version of the InstaWP Connect plugin through the WordPress plugin repository. The security fix can be reviewed in the WordPress Plugin Changeset.
Workarounds
- Disable the InstaWP Connect plugin until it can be updated to a patched version
- Implement server-side firewall rules to block access to the vulnerable REST API endpoint
- Use .htaccess or web server configuration to deny access to /wp-json/instawp-connect/v1/config
- Deploy a web application firewall with rules to detect and block arbitrary file upload attempts
- Restrict REST API access to authenticated users only via WordPress security plugins
# Apache .htaccess workaround to block vulnerable endpoint
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/instawp-connect/v1/config [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
