Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/19755?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19755?format=api", "vulnerability_id": "VCID-t9jk-6dsr-7ues", "summary": "WP Crontrol vulnerable to possible RCE when combined with a pre-condition\nWP Crontrol includes a feature that allows administrative users to create events in the WP-Cron system that store and execute PHP code [subject to the restrictive security permissions documented here](https://wp-crontrol.com/docs/php-cron-events/). While there is _no known vulnerability in this feature on its own_, there exists potential for this feature to be vulnerable to RCE if it were specifically targeted via vulnerability chaining that exploited a separate SQLi (or similar) vulnerability.\n\nThis is exploitable on a site if one of the below preconditions are met:\n\n* The site is vulnerable to a writeable SQLi vulnerability in any plugin, theme, or WordPress core\n* The site's database is compromised at the hosting level\n* The site is vulnerable to a method of updating arbitrary options in the `wp_options` table\n* The site is vulnerable to a method of triggering an arbitrary action, filter, or function with control of the parameters", "aliases": [ { "alias": "CVE-2024-28850" }, { "alias": "GHSA-9xvf-cjvf-ff5q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68358?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.16.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.16.2" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/678083?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.10.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.10.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/678084?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.11.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.11.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/678085?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.12.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.12.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/678086?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.12.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.12.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/678087?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.13.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.13.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/678088?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.13.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.13.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/678089?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.13.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.13.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/678090?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.14.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.14.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/678091?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.15.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.15.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/678092?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.15.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.15.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/678093?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.15.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.15.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/678094?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.15.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.15.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/678095?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.16.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.16.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/678096?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.16.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.16.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/678065?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/678066?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/678067?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.3.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/678068?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/678069?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.5.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/678070?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/678071?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.6.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/678072?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.6.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.6.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/678073?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.7.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/678074?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.7.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/678075?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.8.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/678076?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/678077?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/678078?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.8.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.8.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/678079?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.8.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.8.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/678080?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.8.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.8.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/678081?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.9.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/678082?format=api", "purl": "pkg:composer/johnbillion/wp-crontrol@1.9.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t9jk-6dsr-7ues" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.9.1" } ], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28850", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07615", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28850" }, { "reference_url": "https://github.com/johnbillion/wp-crontrol", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/johnbillion/wp-crontrol" }, { "reference_url": "https://github.com/johnbillion/wp-crontrol/commit/6d1fadcf6dfdd54e55feef27f916b0cfcd602405", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/johnbillion/wp-crontrol/commit/6d1fadcf6dfdd54e55feef27f916b0cfcd602405" }, { "reference_url": "https://github.com/johnbillion/wp-crontrol/releases/tag/1.16.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-28T18:27:24Z/" } ], "url": "https://github.com/johnbillion/wp-crontrol/releases/tag/1.16.2" }, { "reference_url": "https://snicco.io/vulnerability-disclosure", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snicco.io/vulnerability-disclosure" }, { "reference_url": "https://wp-crontrol.com/docs/php-cron-events", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://wp-crontrol.com/docs/php-cron-events" }, { "reference_url": "https://wp-crontrol.com/help/check-php-cron-events", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://wp-crontrol.com/help/check-php-cron-events" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28850", "reference_id": "CVE-2024-28850", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28850" }, { "reference_url": "https://github.com/advisories/GHSA-9xvf-cjvf-ff5q", "reference_id": "GHSA-9xvf-cjvf-ff5q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9xvf-cjvf-ff5q" }, { "reference_url": "https://github.com/johnbillion/wp-crontrol/security/advisories/GHSA-9xvf-cjvf-ff5q", "reference_id": "GHSA-9xvf-cjvf-ff5q", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-28T18:27:24Z/" } ], "url": "https://github.com/johnbillion/wp-crontrol/security/advisories/GHSA-9xvf-cjvf-ff5q" } ], "weaknesses": [ { "cwe_id": 494, "name": "Download of Code Without Integrity Check", "description": "The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t9jk-6dsr-7ues" }