WP Crontrol < 1.16.2 – Remote Code Execution | CVE 2024-28850

Description

The WP Crontrol plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.1 when another vulnerability is present on the site that allows access to editing the database. This makes it possible for attackers to execute code on the server. Please see the advisory in references for more in depth details.

Proof of Concept

https://github.com/johnbillion/wp-crontrol/security/advisories/GHSA-9xvf-cjvf-ff5q

Affects Plugins

wp-crontrol

Fixed in 1.16.2

References

CVE

CVE-2024-28850

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1b0c1afc-0e77-4a56-89cb-84e2fcc8aa21

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

CVSS

6.6 (medium)

Miscellaneous

Original Researcher

Calvin Alkan

Verified

WPVDB ID

09ad62c7-ee1a-403c-b6ba-59fba697bb2c

Timeline

Publicly Published

2024-03-24 (about 2 years ago)

Added

2024-05-09 (about 1 year ago)

Last Updated

2024-05-09 (about 1 year ago)

Other

Published

Title

Published

2026-03-20

Title

Kali Forms < 2.4.10 - Unauthenticated Remote Code Execution via form_process

Published

2025-04-01

Title

DigiWidgets Image Editor <= 1.10 - Unauthenticated Remote Code Execution

Published

2024-06-05

Title

Album and Image Gallery plus Lightbox < 2.1 - Unauthenticated Arbitrary Shortcode Execution

Published

2025-07-16

Title

Bears Backup < 2.1.0 - Unauthenticated Remote Code Execution

Published

2025-04-17

Title

Target Video Easy Publish <= 3.8.9 - Subscriber+ Arbitrary Shortcode Execution