CVE-2024-28850: WP Crontrol controls the cron events on WordPress websites. WP Crontrol includes a feature that allows administrative users to create events in the W...

Description

WP Crontrol controls the cron events on WordPress websites. WP Crontrol includes a feature that allows administrative users to create events in the WP-Cron system that store and execute PHP code subject to the restrictive security permissions documented here. While there is no known vulnerability in this feature on its own, there exists potential for this feature to be vulnerable to RCE if it were specifically targeted via vulnerability chaining that exploited a separate SQLi (or similar) vulnerability. This is exploitable on a site if one of the below preconditions are met, the site is vulnerable to a writeable SQLi vulnerability in any plugin, theme, or WordPress core, the site's database is compromised at the hosting level, the site is vulnerable to a method of updating arbitrary options in the wp_options table, or the site is vulnerable to a method of triggering an arbitrary action, filter, or function with control of the parameters. As a hardening measure, WP Crontrol version 1.16.2 ships with a new feature that prevents tampering of the code stored in a PHP cron event.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

0.17%

6.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-494

Affected Software

Vendor	Product	Versions
Johnbillion	Wp Crontrol	< 1.16.2

References

https://github.com/johnbillion/wp-crontrol/releases/tag/1.16.2Release Notes
https://github.com/johnbillion/wp-crontrol/security/advisories/GHSA-9xvf-cjvf-ff5qVendor Advisory
https://github.com/johnbillion/wp-crontrol/releases/tag/1.16.2Release Notes
https://github.com/johnbillion/wp-crontrol/security/advisories/GHSA-9xvf-cjvf-ff5qVendor Advisory

Timeline

Published: Mar 25, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-28850?

WP Crontrol controls the cron events on WordPress websites. WP Crontrol includes a feature that allows administrative users to create events in the WP-Cron system that store and execute PHP code subject to the restrictive security permissions documented here. While there is no known vulnerability in this feature on its own, there exists potential for this feature to be vulnerable to RCE if it were specifically targeted via vulnerability chaining that exploited a separate SQLi (or similar) vulnerability. This is exploitable on a site if one of the below preconditions are met, the site is vulnerable to a writeable SQLi vulnerability in any plugin, theme, or WordPress core, the site's database is compromised at the hosting level, the site is vulnerable to a method of updating arbitrary options in the wp_options table, or the site is vulnerable to a method of triggering an arbitrary action, filter, or function with control of the parameters. As a hardening measure, WP Crontrol version 1.16.2 ships with a new feature that prevents tampering of the code stored in a PHP cron event.

How severe is CVE-2024-28850?

CVE-2024-28850 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 0.17% probability of exploitation in the next 30 days.

How do I fix CVE-2024-28850?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.