Full Report
The Moroccan authorities have warned users of a critical vulnerability in the popular WordPress plugin, InstaWP Connect. The General Directorate of Information Systems Security (DGSSI), which operates under Morocco's National Defense Administration, shared news details following the WordPress vulnerability. This advisory comes amid a growing number of cyberattacks targeting government websites in Morocco, with attackers believed to be linked to hacker groups based in Algeria. The vulnerability, identified as CVE-2025-2636, specifically impacts older versions of the plugin. Versions prior to 0.1.0.88 are at risk. This security flaw enables unauthorized attackers to remotely execute malicious PHP code on affected websites. If left unpatched, the vulnerability could lead to a variety of security breaches, including unauthorized access to sensitive data or even full website compromise. WordPress, the widely used content management system (CMS), has already issued a security patch to resolve the issue. Website administrators are strongly advised to update their plugins to version 0.1.0.86 or a later patched release. The fix can be easily applied via the WordPress platform's dedicated plugin update page. InstaWP Connect WordPress Plugin Vulnerability Details [caption id="attachment_102169" align="alignnone" width="1028"] InstaWP Connect Vulnerability Advisory (Source: dgssi.gov.ma)[/caption] The vulnerability, designated CVE-2025-2636, is described as a Local File Inclusion (LFI) issue, which is a type of vulnerability that allows attackers to include and execute arbitrary files on the server. This vulnerability affects all versions of the plugin up to and including 0.1.0.85. Specifically, the flaw exists in the 'instawp-database-manager' parameter, which, when exploited, enables unauthenticated attackers to gain access to the server and execute malicious PHP code. Once attackers can execute PHP code, they could potentially bypass access controls, extract sensitive information, or manipulate the server in a way that could compromise the entire website. Even though the plugin is designed to allow staging and migration for WordPress sites, the vulnerability exposes users to cybersecurity risks if not addressed. Impact of the Vulnerability The CVE-2025-2636 vulnerability has been rated as Critical, with an overall CVSS score of 8.1, signaling a high level of severity. Exploiting this vulnerability could allow attackers to execute PHP code remotely without the need for authentication. This makes it particularly dangerous, as even individuals with no login credentials could gain full control over the affected WordPress sites. As Morocco faces an ongoing series of cyberattacks on its government and public sector websites, this warning highlights the critical need for all website administrators—particularly those using WordPress and the InstaWP Connect plugin—to take immediate action. Steps for Mitigation To mitigate the risks associated with CVE-2025-2636, website administrators are strongly encouraged to upgrade to version 0.1.0.86 of the plugin, or a later, patched release. This update addresses the LFI vulnerability and strengthens the security of WordPress websites relying on this plugin. For those using older versions of the plugin, immediate updates are crucial to prevent potential exploitation. Additionally, website administrators should always maintain a regular schedule of security updates to ensure their WordPress sites remain protected from future vulnerabilities. Wordfence Provides Further Insights The security team at Wordfence, a popular security plugin for WordPress, has also shared additional information on the vulnerability. According to Wordfence's findings, the plugin, specifically versions Wordfence's vulnerability report details the CVSS vector as follows: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This highlights the risk of unauthorized access and control over affected websites, reinforcing the importance of promptly applying security patches.
Analysis Summary
# Vulnerability: Unauthenticated Local PHP File Inclusion (LFI) in InstaWP Connect Plugin
## CVE Details
- CVE ID: CVE-2025-2636
- CVSS Score: 8.1 (High) (Derived from the provided vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CWE: CWE-98 (Improper Neutralization of Special Elements Used in an OS Command ('OS Command Injection') or similar structure related to file inclusion/code execution)
*Note: The provided CVSS vector suggests a high impact, though the base score calculation for 8.1 based on the provided vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) would typically map to 8.8 (High). We list 8.1 as this is sometimes reported by tooling/vendors.*
## Affected Systems
- Products: InstaWP Connect WordPress Plugin
- Versions: Versions less than or equal to 0.1.0.85 (<= 0.1.0.85)
- Configurations: Any WordPress installation utilizing the vulnerable versions of the plugin.
## Vulnerability Description
The InstaWP Connect WordPress plugin contains an Unauthenticated Local PHP File Inclusion (LFI) vulnerability. This flaw exists in versions prior to 0.1.0.86. Successful exploitation allows an unauthenticated attacker to potentially include and execute arbitrary PHP code on the affected server by leveraging the LFI flaw.
## Exploitation
- Status: PoC available (Implied by detailed security reporting, but not explicitly confirmed as "in the wild")
- Complexity: High (Based on CVSS vector component AC:H - Attack Complexity High, often requiring specific parameters or conditions, though LFI exploitation can sometimes be simplified depending on the implementation details.)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High (C:H)
- Integrity: High (I:H)
- Availability: High (A:H)
The impact rating suggests that an attacker could gain control over the server, leading to full compromise of data, file modification/deletion, and potential service disruption.
## Remediation
### Patches
- Immediately upgrade the InstaWP Connect plugin to **version 0.1.0.86** or later.
### Workarounds
- If immediate patching is not possible, the vendor/researchers did not explicitly list workarounds beyond immediate updating. General web application security practice suggests temporarily disabling the plugin until a patch can be applied.
## Detection
- **Indicators of Compromise (IOCs):** Look for suspicious file inclusions or references to the plugin's vulnerable script paths in web server access logs. Successful exploitation would result in arbitrary PHP code execution, yielding logs related to file reads, unauthorized shell commands, or creation of malicious backend files.
- **Detection Methods and Tools:** Web Application Firewalls (WAFs) configured to inspect incoming requests for common LFI payloads (e.g., directory traversal sequences like `../..` or PHP filter includes) and security scanning tools (like Wordfence) can help identify the vulnerability or signs of exploitation.
## References
- [Vendor advisory/Security report link - defanged]: thecyberexpress.com/vulnerability-in-instawp-connect-plugin/
- [Wordfence Findings - defanged]: www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/instawp-connect/instawp-connect-01085-unauthenticated-local-php-file-inclusion