WP Crontrol Server-Side Request Forgery Vulnerability
Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in the WP Crontrol plugin for WordPress, affecting versions 1.17.0 prior to 1.19.1. This vulnerability allows authenticated attackers with administrator-level access to make web requests to arbitrary locations from the web application, potentially querying and modifying information from internal services.
Impact
Exploitation of this vulnerability could lead to unauthorized requests being made to internal services, allowing for potential data manipulation or access to sensitive information.
Reproduction
To reproduce this vulnerability, an authenticated user with administrator privileges can create or edit a cron event that includes a URL. The event can then be triggered, which will cause the application to make a request to the specified URL. If the URL is directed towards an internal service, this could result in unauthorized access or modification of data.
Remediation
Users are advised to update the WP Crontrol plugin to version 1.19.2 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.