CVE-2024-22145 - InstaWP Connect Privilege Escalation Explained with Example Exploit

In January 2024, security researchers identified a serious vulnerability—CVE-2024-22145—in the InstaWP Connect WordPress plugin. This blog post will break down what this bug is, why it matters, and show you, with code examples, how an attacker might exploit it to become an admin on your site.

What is InstaWP Connect?

InstaWP Connect is a popular WordPress plugin developed by the InstaWP Team. It's used for quickly launching WordPress staging or testing sites. Millions of WordPress users trust plugins like InstaWP Connect for site management.

Severity: HIGH

- CVE ID: CVE-2024-22145
- Plugin Page: wordpress.org/plugins/instawp-connect

What Went Wrong?

This vulnerability allows a logged-in user with low privileges (like a "subscriber") to escalate their account to "admin." The plugin failed to properly verify a user's role when handling sensitive actions.

In simple words: If you're logged in, you could trick the plugin into giving you superpowers.

Let's look at a simplified* version of what was happening under the hood

// Example vulnerable code snippet
add_action('wp_ajax_instawp_some_action', 'instawp_escalate_privilege');

function instawp_escalate_privilege() {
    // No permission check!
    $user_id = get_current_user_id();
    if(isset($_POST['make_me_admin']) && $_POST['make_me_admin'] === 'yes'){
        $user = new WP_User($user_id);
        $user->set_role('administrator');
        wp_send_json_success('Success!');
    } else {
        wp_send_json_error('Failed.');
    }
}

The key mistake? There is no check to see if the user is already an admin, or any confirmation that the user has the right to make such a request.

Exploit Example

This vulnerability can easily be exploited with a few lines of code or a tool like cURL, Postman, or Burp Suite. Below is an example of exploiting the bug using cURL, as a logged-in user (you must have a valid WordPress session cookie).

Step 1: Login to your account (even just a "subscriber" user).

Step 2: Run the following cURL command, updating the cookie to your session.

curl -X POST "https://your-wordpress-site.com/wp-admin/admin-ajax.php"; \
     -d "action=instawp_some_action&make_me_admin=yes" \
     -H "Cookie: wordpress_logged_in_xxx=your_session_here"

Step 3: If successful, your account is now an administrator!

Update Now!

The InstaWP team has since patched this vulnerability. Always run the latest version of any plugin. Check for updates via your WordPress dashboard.

Security Best Practices:

If you are a developer, always check a user's role before performing sensitive actions

if(current_user_can('manage_options')) {
    // safe to escalate role or perform sensitive task
}

References & Further Reading

- Original CVE record
- Plugin Page on WordPress
- Patchstack Advisory
- Official InstaWP Announcement

Conclusion

CVE-2024-22145 is a good reminder to always verify user permissions before handling anything related to roles and capabilities in WordPress plugins. If you use InstaWP Connect, update immediately and review your site's user accounts for any signs of unauthorized escalation.

Got questions? Drop them in the comments below or check the references for more technical details.

*Note: The PHP code is a simplified version to demonstrate the core of the vulnerability and does not represent the InstaWP code exactly.

Timeline

Published on: 05/17/2024 09:15:21 UTC
Last modified on: 08/01/2024 22:35:34 UTC