Description
Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.2.5.
Published: 2026-04-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control leading to unauthorized plugin actions
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a missing authorization flaw that permits users with incorrectly configured access control settings to exploit the InstaWP Connect plugin. The issue can let an attacker gain unauthorized access to protected plugin features or perform actions beyond their intended scope, thereby compromising integrity and potentially confidentiality of the WordPress site. The weakness is grouped under CWE-862, reflecting improper authorization controls.

Affected Systems

WordPress installations running the InstaWP Connect plugin version 0.1.2.5 or earlier are affected. The issue originates from the InstaWP vendor's component and applies to any site that has the plugin installed without a newer patch.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is below 1%, which suggests that exploitation likelihood is currently low and the vulnerability is not reported in CISA’s KEV catalog. The most probable attack vector is remote, arising through the plugin’s administrative interface, as the flaw stems from misconfigured access controls. No direct exploitation code or publicly available exploit is documented, but the underlying weakness could be leveraged if an attacker can manipulate the plugin’s configuration or target an unauthenticated user session.

Generated by OpenCVE AI on April 13, 2026 at 21:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the InstaWP Connect plugin to a version newer than 0.1.2.5 to eliminate the missing authorization flaw.
  • If an update is not yet available, restrict the plugin’s functionality to administrators only and enforce strict role-based permissions for any plugin management tasks.
  • Monitor the WordPress site for any unauthorized activity related to the plugin and review access logs for anomalous actions.

Generated by OpenCVE AI on April 13, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Instawp
Instawp instawp Connect
Wordpress
Wordpress wordpress
Vendors & Products Instawp
Instawp instawp Connect
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.2.5.
Title WordPress InstaWP Connect plugin <= 0.1.2.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Instawp Instawp Connect
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:01.914Z

Reserved: 2026-04-07T10:47:50.136Z

Link: CVE-2026-39504

cve-icon Vulnrichment

Updated: 2026-04-13T18:45:52.556Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:24.513

Modified: 2026-04-29T10:17:25.850

Link: CVE-2026-39504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:39:59Z

Weaknesses