InstaWP Connect - Path Traversal (CVE-2025-2636)

CVE-2025-2636 is a critical path traversal vulnerability in the InstaWP Connect – 1-click WP Staging & Migration WordPress plugin, affecting all versions up to 0.1.0.85. This flaw allows unauthenticated attackers to exploit the 'instawp-database-manager' parameter to include and execute arbitrary files on the server, potentially leading to remote code execution, data theft, or bypassing access controls. Attackers could leverage this vulnerability to upload and execute malicious PHP code, putting affected WordPress sites at significant risk.

CrowdSec has been tracking this vulnerability and its exploits since 17th of June 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2025-2636 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. CrowdSec data also reveals a clear uptick in attacks involving CVE-2025-2636 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit this vulnerability by sending filesystem-paths to any url using the instawp-database-manager parameter, leading to Local File Inclusion exploits.