A critical security vulnerability (CVE-2025-2636) has been discovered in the popular InstaWP Connect WordPress plugin, affecting all versions up to and including 0.1.0.85. This Local File Inclusion (LFI) flaw, classified under CWE-73 (Improper Limitation of a Pathname to a Restricted Directory), stems from improper input validation in the plugin’s database management functionality—specifically the instawp-database-manager parameter.

Security researchers identified that attackers can exploit this flaw using a specially crafted HTTP request to remotely execute arbitrary PHP code on the server, without requiring any authentication or user interaction, highlighting its critical severity.

InstaWP Connect is widely used for creating one-click staging environments and facilitating WordPress site migrations. The plugin works by linking existing WordPress sites to the InstaWP platform, primarily for development and testing. However, due to the vulnerability, attackers can bypass access controls, execute malicious files, and even gain full control over the server. In cases where file uploads are enabled, adversaries could disguise PHP scripts as legitimate file types, upload them, and then leverage the LFI flaw to execute the payload, leading to full compromise of the website and exposure of sensitive data such as database credentials.

The vulnerability’s low exploitation barrier makes it especially dangerous—it requires no privileges, has low complexity, and can be triggered over the network. Intelligence from VulDB estimates the potential exploit value between $0 and $5,000, indicating it is relatively easy to exploit. Given that this is not the first issue reported in the InstaWP Connect plugin (previous flaws include authentication bypass vulnerabilities in versions 0.1.0.44 and 0.1.0.38), it underscores the necessity of keeping plugins updated and reviewing their security history before implementation.

WordPress site administrators are strongly advised to update the plugin to version 0.1.0.86 or later, which contains a patch for this vulnerability. If an immediate update is not feasible, disabling the plugin temporarily is recommended. Additionally, implementing a Web Application Firewall (WAF) can help mitigate similar risks in the future. This incident serves as a stark reminder of the importance of plugin hygiene and proactive vulnerability management in securing web infrastructure.