WP-Safety
CVE-2026-39504

InstaWP Connect <= 0.1.2.5 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
0.1.2.7
Patched in
36d
Time to patch

Description

The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 0.1.2.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.1.2.5
PublishedMarch 11, 2026
Last updatedApril 15, 2026
Affected plugininstawp-connect

What Changed in the Fix

Changes introduced in v0.1.2.7

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v0.1.2.6
Browse source Download .zip
Patched v0.1.2.7
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-39504 ## 1. Vulnerability Summary The **InstaWP Connect** plugin (versions up to 0.1.2.5) suffers from a **Missing Authorization** vulnerability in multiple AJAX handlers. Specifically, the `InstaWP_Sync_Ajax::handle_select2` function and several methods in `I…

Show full research plan

Exploitation Research Plan: CVE-2026-39504

1. Vulnerability Summary

The InstaWP Connect plugin (versions up to 0.1.2.5) suffers from a Missing Authorization vulnerability in multiple AJAX handlers. Specifically, the InstaWP_Sync_Ajax::handle_select2 function and several methods in InstaWP_Ajax fail to implement proper capability checks (current_user_can) or nonce verification (check_ajax_referer). This allows authenticated users with subscriber-level permissions to perform unauthorized actions, such as enumerating system users or triggering internal plugin state refreshes (e.g., staging site lists).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Actions:
    • instawp_handle_select2 (Primary for Information Disclosure)
    • instawp_refresh_staging_sites (Candidate for Integrity impact I:L)
    • instawp_check_usages_limit (Candidate for Integrity impact I:L)
  • Vulnerable Hook: wp_ajax_instawp_handle_select2 and others registered in InstaWP_Ajax::__construct and InstaWP_Sync_Ajax::__construct.
  • Authentication: Authenticated (Subscriber level and above).
  • Preconditions: The attacker must be logged into the WordPress site.

3.

Research Findings
Static analysis — not yet PoC-verified

Summary

The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access and information disclosure due to missing capability checks in several AJAX handlers, most notably the 'handle_select2' function. This allows authenticated attackers with subscriber-level permissions to enumerate system users and roles or trigger internal plugin actions like staging site refreshes.

Vulnerable Code

// includes/sync/class-instawp-sync-ajax.php around line 141

	public function handle_select2() {
		if ( isset( $_GET['event'] ) ) {
			if ( $_GET['event'] === 'instawp_get_users' ) {
				$keyword = ! empty( $_GET['term'] ) ? sanitize_text_field( wp_unslash( $_GET['term'] ) ) : '';
				$args    = array(
					'search'         => $keyword,
					'paged'          => 1,
					'search_columns' => array( 'user_login', 'user_nicename', 'user_email' ),
					'fields'         => array( 'id', 'user_login' ),
				);
				$users   = get_users( $args );
				$this->send_success(
					'Users loaded',
					array(
						'results' => $users,
						'opt_col' => array(
							'text' => 'user_login',
							'id'   => 'ID',
						),
					)
				);
			} elseif ( $_GET['event'] === 'instawp_get_users_exclude_current' ) {
        // ... logic continues without capability check
			} elseif ( $_GET['event'] === 'instawp_sync_tab_roles' ) {
        // ... role enumeration logic
      }
    }
  }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/instawp-connect/0.1.2.6/includes/sync/class-instawp-sync-ajax.php /home/deploy/wp-safety.org/data/plugin-versions/instawp-connect/0.1.2.7/includes/sync/class-instawp-sync-ajax.php
--- /home/deploy/wp-safety.org/data/plugin-versions/instawp-connect/0.1.2.6/includes/sync/class-instawp-sync-ajax.php	2026-03-06 14:39:10.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/instawp-connect/0.1.2.7/includes/sync/class-instawp-sync-ajax.php	2026-03-09 11:14:10.000000000 +0000
@@ -139,6 +131,8 @@
 	}
 
 	public function handle_select2() {
+		InstaWP_Tools::verify_ajax_request( InstaWP_Setting::get_allowed_role() );
+
 		if ( isset( $_GET['event'] ) ) {
 			if ( $_GET['event'] === 'instawp_get_users' ) {
 				$keyword = ! empty( $_GET['term'] ) ? sanitize_text_field( wp_unslash( $_GET['term'] ) ) : '';

Exploit Outline

1. Authentication: Log in to the WordPress site as a low-privileged user (e.g., Subscriber). 2. Endpoint: Target the WordPress AJAX endpoint at `/wp-admin/admin-ajax.php`. 3. Request Preparation: Craft a request with the action `instawp_handle_select2`. 4. Payload: To enumerate users, set the `event` parameter to `instawp_get_users` and the `term` parameter to a search string (e.g., 'admin'). 5. Execution: Send the GET or POST request. In vulnerable versions, the function lacks a `current_user_can` check and (in some cases) nonce verification, returning a JSON list of usernames and IDs matching the search term. 6. Secondary Actions: Other actions like `instawp_refresh_staging_sites` can be similarly triggered by providing the appropriate `action` parameter without higher-level administrative privileges.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ab1328-b5a0-4592-8455-0bc1874f2b3e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database