Volerion logoVolerion
Volerion logoVolerion

Themefic Instantio WordPress Plugin Arbitrary File Upload Vulnerability

Vulnerability

A vulnerability allowing unrestricted file uploads has been identified in the Themefic Instantio WordPress plugin, affecting versions through 3.3.16. This flaw allows users with administrator privileges to upload arbitrary files, including web shells, which could be executed on the server.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads, including backdoors that could be executed to gain further access to the website.

Reproduction

To reproduce this vulnerability, log into the WordPress admin panel and navigate to 'Instantio -> Settings'. Intercept the POST request using a tool like Burp Suite. Append file data to the request, including a PHP file designed to execute commands. Once the request is forwarded, the uploaded file will be saved in a web-accessible directory. The web shell can then be accessed and executed.

Remediation

Users of the Instantio WordPress plugin should update to version 3.3.17 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
1.6
impact
10.0
exploitability
6.3
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.