CVE-2024-28850

Name of the Vulnerable Software and Affected Versions WP Crontrol versions prior to 1.16.2

Description The issue is related to the WP Crontrol feature that allows administrative users to create events in the WP-Cron system, which can store and execute PHP code. Although there is no known vulnerability in this feature on its own, it can be vulnerable to Remote Code Execution (RCE) if targeted via vulnerability chaining that exploits a separate SQL injection (SQLi) or similar vulnerability. This can be exploitable if the site is vulnerable to a writeable SQLi vulnerability, has a compromised database, or is vulnerable to updating arbitrary options in the wp options table or triggering arbitrary actions, filters, or functions with control of the parameters.

Recommendations For WP Crontrol versions prior to 1.16.2, update to version 1.16.2 or later to prevent tampering of the code stored in a PHP cron event. Any existing PHP cron events will cease to execute until an administrative user re-saves them from the Cron Events screen in the admin area. As a temporary workaround, consider restricting access to the WP-Cron system or disabling the execution of PHP cron events until the update is applied.