{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19755?format=json","vulnerability_id":"VCID-t9jk-6dsr-7ues","summary":"WP Crontrol vulnerable to possible RCE when combined with a pre-condition\nWP Crontrol includes a feature that allows administrative users to create events in the WP-Cron system that store and execute PHP code [subject to the restrictive security permissions documented here](https://wp-crontrol.com/docs/php-cron-events/). While there is _no known vulnerability in this feature on its own_, there exists potential for this feature to be vulnerable to RCE if it were specifically targeted via vulnerability chaining that exploited a separate SQLi (or similar) vulnerability.\n\nThis is exploitable on a site if one of the below preconditions are met:\n\n* The site is vulnerable to a writeable SQLi vulnerability in any plugin, theme, or WordPress core\n* The site's database is compromised at the hosting level\n* The site is vulnerable to a method of updating arbitrary options in the `wp_options` table\n* The site is vulnerable to a method of triggering an arbitrary action, filter, or function with control of the parameters","aliases":[{"alias":"CVE-2024-28850"},{"alias":"GHSA-9xvf-cjvf-ff5q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68358?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.16.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.16.2"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/678083?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.10.0"},{"url":"http://public2.vulnerablecode.io/api/packages/678084?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.11.0"},{"url":"http://public2.vulnerablecode.io/api/packages/678085?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.12.0"},{"url":"http://public2.vulnerablecode.io/api/packages/678086?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.12.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.12.1"},{"url":"http://public2.vulnerablecode.io/api/packages/678087?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.13.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.13.0"},{"url":"http://public2.vulnerablecode.io/api/packages/678088?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.13.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.13.1"},{"url":"http://public2.vulnerablecode.io/api/packages/678089?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.13.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.13.2"},{"url":"http://public2.vulnerablecode.io/api/packages/678090?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.14.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.14.0"},{"url":"http://public2.vulnerablecode.io/api/packages/678091?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.15.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.15.0"},{"url":"http://public2.vulnerablecode.io/api/packages/678092?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.15.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.15.1"},{"url":"http://public2.vulnerablecode.io/api/packages/678093?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.15.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.15.2"},{"url":"http://public2.vulnerablecode.io/api/packages/678094?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.15.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.15.3"},{"url":"http://public2.vulnerablecode.io/api/packages/678095?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.16.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.16.0"},{"url":"http://public2.vulnerablecode.io/api/packages/678096?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.16.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.16.1"},{"url":"http://public2.vulnerablecode.io/api/packages/678065?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/678066?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/678067?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/678068?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.4"},{"url":"http://public2.vulnerablecode.io/api/packages/678069?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.5.0"},{"url":"http://public2.vulnerablecode.io/api/packages/678070?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.6"},{"url":"http://public2.vulnerablecode.io/api/packages/678071?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.6.1"},{"url":"http://public2.vulnerablecode.io/api/packages/678072?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/678073?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/678074?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/678075?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.8.0"},{"url":"http://public2.vulnerablecode.io/api/packages/678076?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/678077?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/678078?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.8.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.8.3"},{"url":"http://public2.vulnerablecode.io/api/packages/678079?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.8.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.8.4"},{"url":"http://public2.vulnerablecode.io/api/packages/678080?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.8.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.8.5"},{"url":"http://public2.vulnerablecode.io/api/packages/678081?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/678082?format=json","purl":"pkg:composer/johnbillion/wp-crontrol@1.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t9jk-6dsr-7ues"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/johnbillion/wp-crontrol@1.9.1"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28850","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07615","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28850"},{"reference_url":"https://github.com/johnbillion/wp-crontrol","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/johnbillion/wp-crontrol"},{"reference_url":"https://github.com/johnbillion/wp-crontrol/commit/6d1fadcf6dfdd54e55feef27f916b0cfcd602405","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/johnbillion/wp-crontrol/commit/6d1fadcf6dfdd54e55feef27f916b0cfcd602405"},{"reference_url":"https://github.com/johnbillion/wp-crontrol/releases/tag/1.16.2","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-28T18:27:24Z/"}],"url":"https://github.com/johnbillion/wp-crontrol/releases/tag/1.16.2"},{"reference_url":"https://snicco.io/vulnerability-disclosure","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snicco.io/vulnerability-disclosure"},{"reference_url":"https://wp-crontrol.com/docs/php-cron-events","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://wp-crontrol.com/docs/php-cron-events"},{"reference_url":"https://wp-crontrol.com/help/check-php-cron-events","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://wp-crontrol.com/help/check-php-cron-events"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28850","reference_id":"CVE-2024-28850","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28850"},{"reference_url":"https://github.com/advisories/GHSA-9xvf-cjvf-ff5q","reference_id":"GHSA-9xvf-cjvf-ff5q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9xvf-cjvf-ff5q"},{"reference_url":"https://github.com/johnbillion/wp-crontrol/security/advisories/GHSA-9xvf-cjvf-ff5q","reference_id":"GHSA-9xvf-cjvf-ff5q","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-28T18:27:24Z/"}],"url":"https://github.com/johnbillion/wp-crontrol/security/advisories/GHSA-9xvf-cjvf-ff5q"}],"weaknesses":[{"cwe_id":494,"name":"Download of Code Without Integrity Check","description":"The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"7.0 - 8.9","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t9jk-6dsr-7ues"}