WordPress versions up to 6.1.1 primarily rely on an inherently unpredictable factor–client visits–to trigger the execution of wp-cron.php, which, in turn, manages important security updates. Consequently, this may lead to delayed security updates and make websites using WordPress more susceptible to security risks, particularly those with a low volume of visitors.
The WordPress source code itself cites the possibility of the default wp-cron.php behavior causing a delay in executing scheduled tasks on sites receiving insufficient visits, but this information is noticeably absent in both the installation and security guides. As a result, users are often left unaware of the risks associated with such installations.
Code Snippet
In the WordPress source code, wp-cron.php is run whenever a page visit occurs. The following code snippet shows this behavior:
if ( ! defined('DOING_CRON') || ! DOING_CRON ) {
// Run wp-cron.php only when visitors access the site
add_action( 'init', 'wp_cron' );
}
As evident from the code above, wp_cron() is only run on the init hook in the absence of the DOING_CRON constant or when DOING_CRON is set to false. This means that the trigger for executing wp-cron.php is dependent on client visits, which can be unpredictable and sparse for certain websites.
Exploit Details
Due to the default behavior of WordPress, websites with low traffic may face a delay in security updates from being applied. Malicious actors aware of this vulnerability can exploit it by specifically targeting such websites in the window between the release of a security patch and its actual implementation.
Furthermore, backlogged tasks and security updates within the WordPress installation put the website at greater risk of compromise in such instances. Considering that these vulnerabilities remain unaddressed in WordPress documentation, many users may not even be aware of the risks they are exposed to.
Links to Original References
- WordPress Core Source Code: https://core.trac.wordpress.org/browser/tags/6.1.1/src/wp-cron.php
- WordPress Installation Guide: https://wordpress.org/support/article/how-to-install-wordpress/
- WordPress Security Guide: https://wordpress.org/support/article/hardening-wordpress/
Suggested Mitigation and Recommendations
To better handle the issue of unpredictable client visits as a trigger for wp-cron.php, users can consider implementing the following steps:
1. Disable default WordPress cron behavior: To prevent client visits from dictating the trigger for wp-cron.php, one can disable the default behavior by adding the following line to their wp-config.php:
`
2. Set up a server-level cron job: Instead of relying on client visits, it is recommended to set up a server-level cron job to periodically execute wp-cron.php. This approach guarantees that scheduled tasks are run in a timely manner, irrespective of client visits. For example, to set up a cron job that runs every hour, the following command can be added to the crontab:
`
* * * * wget -q -O - https://example.com/wp-cron.php?doing_wp_cron >/dev/null 2>&1
(Replace "example.com" with the actual domain of the website.)
By implementing these changes, users can ensure a more reliable and secure means of executing scheduled tasks, including important security updates, on websites with fewer visits. WordPress developers should also consider updating their documentation to make users aware of this potential security risk and suggest the aforementioned mitigation techniques.
Timeline
Published on: 01/05/2023 02:15:00 UTC
Last modified on: 02/02/2023 16:42:00 UTC