CVE-2024-13913
Published: 14 March 2025
Summary
CVE-2024-13913 is a high-severity CSRF (CWE-352) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires session authenticity mechanisms like cryptographic nonces to prevent CSRF attacks that exploit missing nonce validation for arbitrary file inclusion.
Mandates validation of information inputs such as CSRF nonces and file parameters at web endpoints to block forged requests leading to PHP code execution.
Directs identification, reporting, and correction of flaws like the missing nonce validation in the plugin, ensuring timely patching to versions beyond 0.1.0.83.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln in public-facing WordPress plugin enables direct exploitation of the application for initial access (T1190) and arbitrary PHP file inclusion for RCE, directly facilitating web shell deployment (T1505.003).
NVD Description
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This…
more
makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Deeper analysisAI
CVE-2024-13913 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress in all versions up to and including 0.1.0.83. The issue stems from missing or incorrect nonce validation in the '/migrate/templates/main.php' file, which enables unauthenticated attackers to include and execute arbitrary files on the server. This flaw allows the execution of PHP code within those files, particularly when leveraging uploads of images or other "safe" file types that can be included.
Unauthenticated attackers can exploit this vulnerability by tricking an authenticated user into performing a malicious action, such as visiting a crafted webpage, due to the requirement for user interaction (UI:R) as indicated by the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Successful exploitation grants high-impact confidentiality, integrity, and availability effects, enabling attackers to bypass access controls, obtain sensitive data, or achieve remote code execution on the targeted WordPress server.
Mitigation details are outlined in WordPress plugin trac references, including code locations in 'class-instawp-admin.php' (line 159) and 'main.php' (line 27), with a patch applied in changeset 3254817. Security practitioners should update the InstaWP Connect plugin to a version beyond 0.1.0.83, as advised by sources like Wordfence threat intelligence, to address the nonce validation deficiency and prevent arbitrary file inclusion.
Details
- CWE(s)