InstaWP Connect - Path Traversal (CVE-2025-2636)

CVE-2025-2636 is a critical path traversal vulnerability in the InstaWP Connect – 1-click WP Staging & Migration WordPress plugin, affecting all versions up to 0.1.0.85. This flaw allows unauthenticated attackers to exploit the 'instawp-database-manager' parameter to include and execute arbitrary files on the server, potentially leading to remote code execution, data theft, or bypassing access controls. Attackers could leverage this vulnerability to upload and execute malicious PHP code, putting affected WordPress sites at significant risk.

CrowdSec has been tracking this vulnerability and its exploits since 17th of June 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2025-2636 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. In addition, according to the CrowdSec network, attack volume against CVE-2025-2636 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers exploit this vulnerability by sending filesystem-paths to any url using the instawp-database-manager parameter, leading to Local File Inclusion exploits.