CVE-2024-13913

CVE-2024-13913 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress in all versions up to and including 0.1.0.83. The issue stems from missing or incorrect nonce validation in the '/migrate/templates/main.php' file, which enables unauthenticated attackers to include and execute arbitrary files on the server. This flaw allows the execution of PHP code within those files, particularly when leveraging uploads of images or other "safe" file types that can be included.

Unauthenticated attackers can exploit this vulnerability by tricking an authenticated user into performing a malicious action, such as visiting a crafted webpage, due to the requirement for user interaction (UI:R) as indicated by the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Successful exploitation grants high-impact confidentiality, integrity, and availability effects, enabling attackers to bypass access controls, obtain sensitive data, or achieve remote code execution on the targeted WordPress server.

Mitigation details are outlined in WordPress plugin trac references, including code locations in 'class-instawp-admin.php' (line 159) and 'main.php' (line 27), with a patch applied in changeset 3254817. Security practitioners should update the InstaWP Connect plugin to a version beyond 0.1.0.83, as advised by sources like Wordfence threat intelligence, to address the nonce validation deficiency and prevent arbitrary file inclusion.