Recently, the international vulnerability database NIST has released CVE-2023-22622 as a vulnerability in WordPress 6.1.1 and below.
The following is an explanation of the results of our investigation.
This vulnerability was downgraded from a vulnerability score of 7.5 to 5.3 on February 2, 2023. It is no longer included in our vulnerability check warnings.
*This article was originally written on January 27, 2023. The situation may have changed over time.
Vulnerability score 7.5, vulnerability affecting all WordPress 6.1.1 and below?
The CVSS score is calculated on a 10-point scale, weighting indicators such as “can the vulnerability be exploited remotely,” “can the system be hijacked,” “can the system be tampered with,” and “can the vulnerability be exploited without authentication.
The CVE-2023-22622 has a score of 7.5, which is extremely high, and while no patches or updates have been released, all WordPress versions below 6.1.1 are vulnerable . However, we believe that it is not necessary to take any immediate action.
NIST CVE-2023-22622 Vulnerability Description
WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes “the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner,” but neither the installation guide nor the the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.
Translation
6.WordPress up to 1.1 states that wp-cron.php needs to be run and security updates made accordingly. WordPress CRON (WordPress built-in auto-execution mechanism) is executed even if it is unpredictable what kind of web access it is, although the source code describes “what happens if there are not enough visits to the site to execute the scheduled task in a timely manner”, Neither the installation guide nor the security guide mention this default behavior, warning users about the security risks in installations with very few visits.
In other words, is there some kind of security risk regarding CRON’s behavior when web access is low? This seems to be some sort of warning.
The specific method of attack is not clear.
The NIST vulnerability explanation page also only links to the above official warning about CRON in WordPress, but there is no link to a specific method of attack.
There is also a link to https://medium.com/@thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30, which reads that excessive access to CRON makes the site display unstable It states something to the effect that you may be subject to a DDOS attack (a cyber-attack that sends excessive access and data to a website or server).
However, this is generally a type of attack that is prevented on the server side.
If your site is not highly beneficial to the hacker to bring down your company’s site with an over-access attack (there is rarely a site that is beneficial to the hacker with a DDOS attack), or if your server is equipped with a mechanism to prevent DDOS attacks, then this is not a problem.
Conclusion on CVE-2023-22622
As far as the NIST page is concerned, the solution is linked to a way to put a setting in wp-config.php to stop CRON.
↓Include in wp-config.php
define('DISABLE_WP_CRON', true);
However, if you add this description, wordpress auto-run features such as scheduled posts will not work.
We believe that there is no need to do anything immediately regarding this vulnerability, since it is a “WordPress CRON specification alert” and “the specific method of attack is not known.
If you are concerned about malware infection or security,
Free WordPress: Malware Scan & Security Plug-in [Malware and Virus Detection and Removal]
If you are concerned about malware infection or security, please use the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal
