CVE-2025-2636: Critical WordPress Flaw Exploited – New CVE Tracker Here to Help

July 2025 by CrowdSec

Here’s your Monday report on immediate and emerging threats. Powered by the CrowdSec Network. WordPress Plugin Carrying a Critical Risk: Use Crowdsec CVE Trend Page to Stay Ahead

This week, we have a gift for all newsletter readers: we are currently testing a new feature in the CrowdSec Console that will allow you to explore the data that CrowdSec has collected for CVEs. This new tool offers an aggregated view of threat signals collected by more than 120k machines contributing to the CrowdSec Network, the largest crowdsourced CTI Network in the world. This is an opportunity for our readers and contributors to discover which vulnerabilities are currently the most hyped, and which ones get significant media attention but are rarely exploited by attackers.

Below, we break down one of the highest-priority CVEs flagged by CrowdSec’s new CVE Trend Page, including key details and insights.

Key findings

Rapidly emerging threat: the CrowdSec Console’s newly launched CVE Trend Page (live data, daily updates) reveals CVE‑2025‑2636 has surged in recent weeks.

Active attack patterns: Multiple threat actors are systematically probing the instawp-database-manager parameter, attempting to access or include arbitrary file paths.

Critical impact: Successful exploitation enables remote PHP code execution through malicious file uploads, potentially leading to full site compromise.

About the exploit

CVE‑2025‑2636 is a high-severity Local File Inclusion vulnerability (CWE‑22), found in InstaWP Connect ≤ 0.1.0.85, a rather popular WordPress plugin. Exploiting this flaw, attackers can bypass access controls, execute PHP code, and expose sensitive data.