Description
WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.
Exploits (1)
nomisec
WORKING POC
4 stars
by michael-david-fry · poc
https://github.com/michael-david-fry/CVE-2023-22622
References (7)
Core 7
Core References
Product, Vendor Advisory
https://developer.wordpress.org/plugins/cron/
Third Party Advisory
https://github.com/WordPress/WordPress/blob/dca7b5204b5fea54e6d1774689777b359a9222ab/wp-cron.php#L5-L8
Third Party Advisory
https://patchstack.com/articles/solving-unpredictable-wp-cron-problems-addressing-cve-2023-22622/
Vendor Advisory
https://wordpress.org/about/security/
Vendor Advisory
https://wordpress.org/support/article/how-to-install-wordpress/
Third Party Advisory
https://www.tenable.com/plugins/was/113449
Scores
CVSS v3
5.3
EPSS
0.0842
EPSS Percentile
92.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
Status
published
Products (1)
wordpress/wordpress
< 6.1.1
Published
Jan 05, 2023
Tracked Since
Feb 18, 2026