Miggo Logo

CVE-2024-28850:
WP Crontrol vulnerable to possible RCE when combined with a pre-condition

8.2

CVSS Score
3.1

Basic Information

EPSS Score
0.02777%
Published
3/25/2024
Updated
3/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
johnbillion/wp-crontrolcomposer< 1.16.21.16.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stems from the action_php_cron_event function executing arbitrary PHP code stored in cron events without verifying its integrity. Before the patch, this function accepted and executed $code parameter directly via eval() with no hash verification. When combined with database write capabilities (via SQLi or other preconditions), attackers could modify stored PHP code in wp_options to achieve RCE. The patched version added HMAC verification (check_integrity) and additional parameters to prevent execution of modified code. The function's pre-patch implementation directly matches CWE-494 (code execution without integrity check) described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t WP *rontrol in*lu**s * ***tur* t**t *llows **ministr*tiv* us*rs to *r**t* *v*nts in t** WP-*ron syst*m t**t stor* *n* *x**ut* P*P *o** [su*j**t to t** r*stri*tiv* s**urity p*rmissions *o*um*nt** **r*](*ttps://wp-*rontrol.*om/*o*s/p*p-*ron

Reasoning

T** *or* vuln*r**ility st*ms *rom t** **tion_p*p_*ron_*v*nt *un*tion *x**utin* *r*itr*ry P*P *o** stor** in *ron *v*nts wit*out v*ri*yin* its int**rity. ***or* t** p*t**, t*is *un*tion ****pt** *n* *x**ut** $*o** p*r*m*t*r *ir**tly vi* *v*l() wit* no