WordPress 'wp-cron.php' Accessible/Enabled (HTTP) - Active Check

2023-02-2400:00:00

plugins.openvas.org

wordpress

wp-cron.php

active check

security implications

cve-2023-22622

mitigation

disable

restrict access

system cron

5.3 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

5.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.1%

JSON

The remote WordPress instance might have a default setup of

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:wordpress:wordpress";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.104560");
  script_version("2023-10-13T16:09:03+0000");
  script_tag(name:"last_modification", value:"2023-10-13 16:09:03 +0000 (Fri, 13 Oct 2023)");
  script_tag(name:"creation_date", value:"2023-02-24 08:58:19 +0000 (Fri, 24 Feb 2023)");
  script_tag(name:"cvss_base", value:"4.6");
  script_tag(name:"cvss_base_vector", value:"AV:A/AC:H/Au:N/C:N/I:N/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-02-02 16:42:00 +0000 (Thu, 02 Feb 2023)");

  script_cve_id("CVE-2023-22622");

  # nb: Unreliable because we can only check remotely if the file is accessible but can't determine
  # if the config setting has been done which is already mitigating the flaws.
  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"Mitigation");

  script_name("WordPress 'wp-cron.php' Accessible/Enabled (HTTP) - Active Check");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_wordpress_http_detect.nasl");
  script_require_ports("Services/www", 80);
  script_mandatory_keys("wordpress/http/detected");

  script_tag(name:"summary", value:"The remote WordPress instance might have a default setup of
  'wp-cron.php' configured which could have security implications.");

  script_tag(name:"vuldetect", value:"Sends a crafted HTTP GET request and checks the response.");

  script_tag(name:"insight", value:"The following security implications might exist:

  - No CVE: A denial of service (DoS) on high traffic sites caused by WordPress executing
  'wp-cron.php' multiple times a minute using an HTTP request.

  - CVE-2023-22622: WordPress depends on unpredictable client visits to cause wp-cron.php execution
  and the resulting security updates, and the source code describes 'the scenario where a site may
  not receive enough visits to execute scheduled tasks in a timely manner' but neither the
  installation guide nor the security guide mentions this default behavior, or alerts the user about
  security risks on installations with very few visits.");

  script_tag(name:"affected", value:"All WordPress sides having a default setup of 'wp-cron.php'
  configured.");

  script_tag(name:"solution", value:"The following mitigation steps are suggested:

  - Add the following to the 'wp-config.php' file of the instance:

    define('DISABLE_WP_CRON', true)<semicolon>

  - Restrict external access to 'wp-cron.php'

  - Configure and enable a system cron to call 'wp-cron.php' locally via PHP instead

  Please see the references for more information.");

  script_xref(name:"URL", value:"https://patchstack.com/articles/solving-unpredictable-wp-cron-problems-addressing-cve-2023-22622/");
  script_xref(name:"URL", value:"https://medium.com/@thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30");
  script_xref(name:"URL", value:"https://core.trac.wordpress.org/ticket/57159");
  script_xref(name:"URL", value:"https://github.com/advisories/GHSA-pmh6-cq54-943m");

  exit(0);
}

include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("list_array_func.inc");
include("misc_func.inc");

if( ! port = get_app_port( cpe:CPE, service:"www" ) )
  exit( 0 );

if( ! dir = get_app_location( cpe:CPE, port:port ) )
  exit( 0 );

if( dir == "/" )
  dir = "";

url = dir + "/wp-cron.php";

res = http_get_cache( port:port, item:url );

# nb: If wp-cron.php is accessible we can see the following:
# - A 200 OK status code
# - A text/html Content-Type
# - An empty body
# We need to have such a strict check because there are site configurations which throws a 200
# status code for every request.
if( ! res || res !~ "^HTTP/1\.[01] 200" )
  exit( 0 );

headers = http_extract_headers_from_response( data:res );
body = http_extract_body_from_response( data:res );
if( ! body || ! headers || headers !~ "Content-Type\s*:\s*text/html" )
  exit( 0 );

# nb: Body might only include newlines here so we need to strip them away before doing the check
# below.
body = chomp( body );

if( strlen( body ) == 0 ) {
  info["HTTP Method"] = "GET";
  info["Affected URL"] = http_report_vuln_url(port: port, url: url, url_only: TRUE);

  report  = 'By doing the following HTTP request:\n\n';
  report += text_format_table( array:info ) + '\n\n';
  report += 'the response indicates that the system is exposing "wp-cron.php".\n\n';
  report += 'Note: Such systems reply with a 200 (OK), a text/html Content-Type and an empty body.';
  report += '\n\nResult:\n\n' + chomp( res );
  security_message( port:port, data:report );
  exit( 0 );
}

exit( 0 ); # nb: No exit(99); because the usage of wp-cron.php might be already disabled in WordPress...