Firewall Daily

Critical Security Vulnerability Found in WordPress Plugin InstaWP Connect

The Moroccan authorities have warned users of a critical vulnerability in the popular WordPress plugin, InstaWP Connect. The General Directorate of Information Systems Security (DGSSI), which operates under Morocco’s National Defense Administration, shared news details following the WordPress vulnerability. This advisory comes amid a growing number of cyberattacks targeting government websites in Morocco, with attackers believed to be linked to hacker groups based in Algeria. 

The vulnerability, identified as CVE-2025-2636, specifically impacts older versions of the plugin. Versions prior to 0.1.0.88 are at risk. This security flaw enables unauthorized attackers to remotely execute malicious PHP code on affected websites. If left unpatched, the vulnerability could lead to a variety of security breaches, including unauthorized access to sensitive data or even full website compromise. 

WordPress, the widely used content management system (CMS), has already issued a security patch to resolve the issue. Website administrators are strongly advised to update their plugins to version 0.1.0.86 or a later patched release. The fix can be easily applied via the WordPress platform’s dedicated plugin update page. 

InstaWP Connect WordPress Plugin Vulnerability Details

InstaWP Connect Vulnerability Advisory (Source: dgssi.gov.ma)

The vulnerability, designated CVE-2025-2636, is described as a Local File Inclusion (LFI) issue, which is a type of vulnerability that allows attackers to include and execute arbitrary files on the server. This vulnerability affects all versions of the plugin up to and including 0.1.0.85. Specifically, the flaw exists in the ‘instawp-database-manager’ parameter, which, when exploited, enables unauthenticated attackers to gain access to the server and execute malicious PHP code. 

Once attackers can execute PHP code, they could potentially bypass access controls, extract sensitive information, or manipulate the server in a way that could compromise the entire website. Even though the plugin is designed to allow staging and migration for WordPress sites, the vulnerability exposes users to cybersecurity risks if not addressed. 

Impact of the Vulnerability

The CVE-2025-2636 vulnerability has been rated as Critical, with an overall CVSS score of 8.1, signaling a high level of severity. Exploiting this vulnerability could allow attackers to execute PHP code remotely without the need for authentication. This makes it particularly dangerous, as even individuals with no login credentials could gain full control over the affected WordPress sites. 

As Morocco faces an ongoing series of cyberattacks on its government and public sector websites, this warning highlights the critical need for all website administrators—particularly those using WordPress and the InstaWP Connect plugin—to take immediate action. 

Steps for Mitigation

To mitigate the risks associated with CVE-2025-2636, website administrators are strongly encouraged to upgrade to version 0.1.0.86 of the plugin, or a later, patched release. This update addresses the LFI vulnerability and strengthens the security of WordPress websites relying on this plugin. 

For those using older versions of the plugin, immediate updates are crucial to prevent potential exploitation. Additionally, website administrators should always maintain a regular schedule of security updates to ensure their WordPress sites remain protected from future vulnerabilities. 

Wordfence Provides Further Insights

The security team at Wordfence, a popular security plugin for WordPress, has also shared additional information on the vulnerability. According to Wordfence’s findings, the plugin, specifically versions <= 0.1.0.85, is vulnerable to Unauthenticated Local PHP File Inclusion. This vulnerability could be exploited to execute arbitrary PHP code on the server, allowing attackers to manipulate the server and bypass access controls. 

Wordfence’s vulnerability report details the CVSS vector as follows: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This highlights the risk of unauthorized access and control over affected websites, reinforcing the importance of promptly applying security patches. 

Ashish Khaitan

Ashish is a technical writer at The Cyber Express. He adores writing about the latest technologies and covering the latest cybersecurity events. In his free time, he likes to play horror and open-world video games.

Recent Posts

AI Cyber Attacks Emerge as Biggest Threat to Indian Banking: RBI

The report noted that cyber risk has become a major financial stability concern as India's financial ecosystem becomes increasingly digital…

21 hours ago

Apple Security Update Patches 30+ Vulnerabilities in iOS 26.5.2

Apple said the flaws were addressed through improved memory management, input validation, bounds checking, and stronger security origin tracking.

2 days ago

Ukraine Makes History With First $8.3M Seized Crypto Transfer to ARMA

ARMA said receiving the cryptocurrency marks an important step in the evolution of Ukraine's asset management system.

2 days ago

U.S. Seizes Nearly 400 Illegal FIFA World Cup Streaming Domains

The domain seizure operation was coordinated with international partners through the International Computer Hacking and Intellectual Property (ICHIP) Network.

2 days ago

Operation Endgame Disrupts SocGholish, StealC Malware Networks

The operation forms part of Operation Endgame, described by Europol as the largest international initiative to disrupt ransomware enablers worldwide.

3 days ago

UAE Cybersecurity Council Calls for Stronger Digital Footprint Protection

The UAE Cybersecurity Council shares cybersecurity best practices to help users secure digital footprints and reduce cyberattack risks.

3 days ago

This website uses cookies. By continuing to use this website you are giving consent to cookies being used.

Read More