OpenCVE

WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wordpress	Wordpress

Configuration 1 [-]

cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://developer.wordpress.org/plugins/cron/
https://github.com/WordPress/WordPress/blob/dca7b5204b5fea54e6d1774689777b359a9222ab/wp-cron.php#L5-L8
https://medium.com/%40thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30
https://patchstack.com/articles/solving-unpredictable-wp-cron-problems-addressing-cve-2023-22622/
https://wordpress.org/about/security/
https://wordpress.org/support/article/how-to-install-wordpress/
https://www.tenable.com/plugins/was/113449

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-01-05T00:00:00

Updated: 2024-08-02T10:13:49.462Z

Reserved: 2023-01-05T00:00:00

Link: CVE-2023-22622

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-05T02:15:07.980

Modified: 2024-11-21T07:45:04.733

Link: CVE-2023-22622

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-22622", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T10:13:49.462Z", "dateReserved": "2023-01-05T00:00:00", "datePublished": "2023-01-05T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-02-01T00:00:00"}, "descriptions": [{"lang": "en", "value": "WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes \"the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner,\" but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://medium.com/%40thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30"}, {"url": "https://www.tenable.com/plugins/was/113449"}, {"url": "https://github.com/WordPress/WordPress/blob/dca7b5204b5fea54e6d1774689777b359a9222ab/wp-cron.php#L5-L8"}, {"url": "https://developer.wordpress.org/plugins/cron/"}, {"url": "https://wordpress.org/about/security/"}, {"url": "https://wordpress.org/support/article/how-to-install-wordpress/"}, {"url": "https://patchstack.com/articles/solving-unpredictable-wp-cron-problems-addressing-cve-2023-22622/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:13:49.462Z"}, "title": "CVE Program Container", "references": [{"url": "https://medium.com/%40thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30", "tags": ["x_transferred"]}, {"url": "https://www.tenable.com/plugins/was/113449", "tags": ["x_transferred"]}, {"url": "https://github.com/WordPress/WordPress/blob/dca7b5204b5fea54e6d1774689777b359a9222ab/wp-cron.php#L5-L8", "tags": ["x_transferred"]}, {"url": "https://developer.wordpress.org/plugins/cron/", "tags": ["x_transferred"]}, {"url": "https://wordpress.org/about/security/", "tags": ["x_transferred"]}, {"url": "https://wordpress.org/support/article/how-to-install-wordpress/", "tags": ["x_transferred"]}, {"url": "https://patchstack.com/articles/solving-unpredictable-wp-cron-problems-addressing-cve-2023-22622/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5D6AAC8-2C73-4F36-B992-3EB9B31359A1", "versionEndIncluding": "6.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes \"the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner,\" but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits."}, {"lang": "es", "value": "WordPress hasta 6.1.1 depende de visitas impredecibles de clientes para provocar la ejecuci\u00f3n de wp-cron.php y las actualizaciones de seguridad resultantes, y el c\u00f3digo fuente describe \"el escenario en el que un sitio puede no recibir suficientes visitas para ejecutar las tareas programadas de manera oportuna\" pero ni la gu\u00eda de instalaci\u00f3n ni la gu\u00eda de seguridad mencionan este comportamiento predeterminado, ni alertan al usuario sobre riesgos de seguridad en instalaciones con muy pocas visitas."}], "id": "CVE-2023-22622", "lastModified": "2024-11-21T07:45:04.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-05T02:15:07.980", "references": [{"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://developer.wordpress.org/plugins/cron/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/WordPress/WordPress/blob/dca7b5204b5fea54e6d1774689777b359a9222ab/wp-cron.php#L5-L8"}, {"source": "cve@mitre.org", "url": "https://medium.com/%40thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/articles/solving-unpredictable-wp-cron-problems-addressing-cve-2023-22622/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://wordpress.org/about/security/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://wordpress.org/support/article/how-to-install-wordpress/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.tenable.com/plugins/was/113449"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Vendor Advisory"], "url": "https://developer.wordpress.org/plugins/cron/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/WordPress/WordPress/blob/dca7b5204b5fea54e6d1774689777b359a9222ab/wp-cron.php#L5-L8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://medium.com/%40thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/articles/solving-unpredictable-wp-cron-problems-addressing-cve-2023-22622/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://wordpress.org/about/security/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://wordpress.org/support/article/how-to-install-wordpress/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.tenable.com/plugins/was/113449"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}