Share
## https://sploitus.com/exploit?id=8B11F280-8713-5FAD-9258-8140316802F8
# CVE-2024-4898-Poc
CVE-2024-4898 InstaWP Connect โ 1-click WP Staging & Migration <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/instawp-connect/instawp-connect-1-click-wp-staging-migration-01038-missing-authorization-to-unauthenticated-api-setuparbitrary-options-updateadministrative-user-creation
File: wp-content/plugins/instawp-connect/includes/class-instawp-rest-api.php
![image](https://github.com/truonghuuphuc/CVE-2024-4898-Poc/assets/20487674/d6287d11-bf9d-4cb9-9dc6-7c49904d7757)
![image](https://github.com/truonghuuphuc/CVE-2024-4898-Poc/assets/20487674/23e2517f-9c56-4ca7-91f7-0111d5416f41)
![image](https://github.com/truonghuuphuc/CVE-2024-4898-Poc/assets/20487674/b34e0d39-163e-46ce-881f-119aa20d535c)
File: wp-content/plugins/instawp-connect/includes/class-instawp-tools.php
![image](https://github.com/truonghuuphuc/CVE-2024-4898-Poc/assets/20487674/4962fb44-6c21-4e57-ba66-182479444401)
## Poc:
Create user role Administrator
Create api key: https://app.instawp.io/user/api-tokens
![image](https://github.com/truonghuuphuc/CVE-2024-4898-Poc/assets/20487674/3dfe5d78-5311-4a8a-8d13-ad2363ea9925)
https://github.com/truonghuuphuc/CVE-2024-4898-Poc/assets/20487674/01be7c07-1894-4e70-9966-5ba7dce1fd2a