WP Crontrol – 1.17.0 – 1.19.1 – Authenticated (Administrator+) Blind Server-Side Request Forgery | CVE 2025-8678 | Plugin Vulnerabilities

Description

The WP Crontrol plugin for WordPress is vulnerable to blind Server-Side Request Forgery in versions 1.17.0 to 1.19.1 via the 'wp_remote_request' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affects Plugins

Fixed in 1.19.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ab40146d-9b49-4214-af73-41c5b5512542

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Benjamin Friedli

Verified

No

WPVDB ID

11e49b9b-374c-435e-986a-173769142cbd

Timeline

Publicly Published

2025-08-21 (about 8 months ago)

Added

2025-08-21 (about 8 months ago)

Last Updated

2025-08-25 (about 8 months ago)

Other

Published

Title

Published

2025-08-22

Title

Event Manager, Events Calendar, Booking, Registrations and Tickets – Eventin < 4.0.38 - Unauthenticated Server-Side Request Forgery

Published

2025-11-26

Title

AI ChatBot with ChatGPT and Content Generator by AYS < 2.7.1 - Unauthenticated Server-Side Request Forgery via 'pinecone_url' Parameter

Published

2024-11-01

Title

Magical Addons For Elementor < 1.2.3 - Authenticated (Subscriber+) Server-Side Request Forgery

Published

2021-04-13

Title

WP Smart Import < 1.0.1 - Auhenticated Server-side Request Forgery

Published

2025-04-09

Title

IndieBlocks < 0.13.2 - Unauthenticated Server-Side Request Forgery