Summary
WP Crontrol vulnerable to possible RCE when combined with a pre-condition
Workarounds
Given that one or more of the preconditions listed above are met, there are no known workarounds for this issue other than to update WP Crontrol to version 1.16.2 or later.
Note that neither the DISALLOW_FILE_MODS constant nor the DISALLOW_FILE_EDIT constant prevent this from being exploitable because these constants do not prevent PHP cron events from being executed. It's an intended feature of WP Crontrol that PHP cron events in the database will continue to run according to their schedule even if editing PHP cron events is disabled due to one of these constants being defined.
FAQ
Is my site at risk?
Your site is only at risk if at least one of the preconditions listed above are met and an attacker is actively attacking your site in order to exploit this. There is no known vulnerability in this feature on its own.
Why is this classified as high severity?
The CVSS score is used to classify the severity of a vulnerability in isolation, which in this case is high due to the possibility of RCE. The actual risk is likely to be low and is dependent entirely on one of the preconditions being met.
How is this any different to an SQLi vulnerability that would allow an attacker to create an Administrator user and then access the theme or plugin editor?
The difference is in the handling of the DISALLOW_FILE_MODS and DISALLOW_FILE_EDIT constants. With either one of these constants defined in your wp-config.php file then the plugin and theme editors are disabled. In WP Crontrol the ability to edit PHP cron events in WP Crontrol is also disabled in this case, however PHP cron events in the database will continue to run according to their schedule.
Thanks
This issue was identified by John Blackbourn, the author of the WP Crontrol plugin.
Thanks go to:
- Calvin Alkan for researching and reporting many vulnerabilities in WordPress plugins and for publishing the details on the snicco blog. Calvin's work prompted me to investigate whether the PHP cron event functionality in WP Crontrol could be exploited when attacked via with vulnerability chaining, and he collaborated on this security advisory.
- Joe Hoyle for collaborating on this advisory.
Impact
WP Crontrol includes a feature that allows administrative users to create events in the WP-Cron system that store and execute PHP code subject to the restrictive security permissions documented here. While there is no known vulnerability in this feature on its own, there exists potential for this feature to be vulnerable to RCE if it were specifically targeted via vulnerability chaining that exploited a separate SQLi (or similar) vulnerability.
This is exploitable on a site if one of the below preconditions are met:
- The site is vulnerable to a writeable SQLi vulnerability in any plugin, theme, or WordPress core
- The site's database is compromised at the hosting level
- The site is vulnerable to a method of updating arbitrary options in the
wp_optionstable - The site is vulnerable to a method of triggering an arbitrary action, filter, or function with control of the parameters
CVE-2024-28850 has a CVSS score of 8.1 (High). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.16.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
As a hardening measure, WP Crontrol version 1.16.2 ships with a new feature that prevents tampering of the code stored in a PHP cron event.
All PHP cron events are now secured via an integrity check that makes use of an HMAC to store a hash of the code alongside it when the event is saved. When the event runs, the hash is verified to ensure the code has not been tampered with. WP Crontrol will not execute the PHP code if the hash cannot be verified or if a stored hash is not present. If an attacker with database-level access were to modify the code in an event in an attempt to execute arbitrary code, the code would no longer execute.
Any PHP cron events that exist in the database prior to updating to version 1.16.2 will cease to execute until an administrative user re-saves them from the Cron Events screen in the admin area. A notice will be shown in the admin area informing administrative users if this is the case.
Frequently Asked Questions
- What is CVE-2024-28850? CVE-2024-28850 is a high-severity security vulnerability in johnbillion/wp-crontrol (composer), affecting versions < 1.16.2. It is fixed in 1.16.2.
- How severe is CVE-2024-28850? CVE-2024-28850 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of johnbillion/wp-crontrol are affected by CVE-2024-28850? johnbillion/wp-crontrol (composer) versions < 1.16.2 is affected.
- Is there a fix for CVE-2024-28850? Yes. CVE-2024-28850 is fixed in 1.16.2. Upgrade to this version or later.
- Is CVE-2024-28850 exploitable, and should I be worried? Whether CVE-2024-28850 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-28850 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-28850? Upgrade
johnbillion/wp-crontrolto 1.16.2 or later.