The Moroccan authorities have warned users of a critical vulnerability in the popular WordPress plugin, InstaWP Connect. The General Directorate of Information Systems Security (DGSSI), which operates under Morocco’s National Defense Administration, shared news details following the WordPress vulnerability. This advisory comes amid a growing number of cyberattacks targeting government websites in Morocco, with attackers believed to be linked to hacker groups based in Algeria.
The vulnerability, identified as CVE-2025-2636, specifically impacts older versions of the plugin. Versions prior to 0.1.0.88 are at risk. This security flaw enables unauthorized attackers to remotely execute malicious PHP code on affected websites. If left unpatched, the vulnerability could lead to a variety of security breaches, including unauthorized access to sensitive data or even full website compromise.
WordPress, the widely used content management system (CMS), has already issued a security patch to resolve the issue. Website administrators are strongly advised to update their plugins to version 0.1.0.86 or a later patched release. The fix can be easily applied via the WordPress platform’s dedicated plugin update page.
InstaWP Connect WordPress Plugin Vulnerability Details
The vulnerability, designated CVE-2025-2636, is described as a Local File Inclusion (LFI) issue, which is a type of vulnerability that allows attackers to include and execute arbitrary files on the server. This vulnerability affects all versions of the plugin up to and including 0.1.0.85. Specifically, the flaw exists in the ‘instawp-database-manager’ parameter, which, when exploited, enables unauthenticated attackers to gain access to the server and execute malicious PHP code.
Once attackers can execute PHP code, they could potentially bypass access controls, extract sensitive information, or manipulate the server in a way that could compromise the entire website. Even though the plugin is designed to allow staging and migration for WordPress sites, the vulnerability exposes users to cybersecurity risks if not addressed.
Impact of the Vulnerability
The CVE-2025-2636 vulnerability has been rated as Critical, with an overall CVSS score of 8.1, signaling a high level of severity. Exploiting this vulnerability could allow attackers to execute PHP code remotely without the need for authentication. This makes it particularly dangerous, as even individuals with no login credentials could gain full control over the affected WordPress sites.
As Morocco faces an ongoing series of cyberattacks on its government and public sector websites, this warning highlights the critical need for all website administrators—particularly those using WordPress and the InstaWP Connect plugin—to take immediate action.
Steps for Mitigation
To mitigate the risks associated with CVE-2025-2636, website administrators are strongly encouraged to upgrade to version 0.1.0.86 of the plugin, or a later, patched release. This update addresses the LFI vulnerability and strengthens the security of WordPress websites relying on this plugin.
For those using older versions of the plugin, immediate updates are crucial to prevent potential exploitation. Additionally, website administrators should always maintain a regular schedule of security updates to ensure their WordPress sites remain protected from future vulnerabilities.
Wordfence Provides Further Insights
The security team at Wordfence, a popular security plugin for WordPress, has also shared additional information on the vulnerability. According to Wordfence’s findings, the plugin, specifically versions <= 0.1.0.85, is vulnerable to Unauthenticated Local PHP File Inclusion. This vulnerability could be exploited to execute arbitrary PHP code on the server, allowing attackers to manipulate the server and bypass access controls.
Wordfence’s vulnerability report details the CVSS vector as follows: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This highlights the risk of unauthorized access and control over affected websites, reinforcing the importance of promptly applying security patches.
Source: Read More