CVE CyberSecurity Database News

CVE-2023-22622 - The Quiet WordPress Security Risk No One Is Talking About

Poster -

WordPress powers a huge chunk of the internet—over 40% of all websites, actually. Its reputation is built on being easy to use, simple to install, and full of plugins. But sometimes, things are a little too simple. There's a hidden risk in how WordPress handles scheduled tasks and security updates—a silent problem described in CVE-2023-22622. If your site doesn't get much traffic, you could be missing vital updates and security patches, and WordPress won't tell you about it.

In this long read, we'll break down what this issue is, why it matters, and what you can do. We'll include some code you can use to check your own site—and links to the official references.

What Is CVE-2023-22622?

WordPress tries to schedule regular background jobs to run maintenance, send out emails, and—critically—handle security updates. This is done using a script called wp-cron.php. However, WordPress doesn't use a standard system cron by default; instead, it “fakes” scheduled tasks by running wp-cron.php whenever someone visits your site.

It's a clever shortcut, but there's a massive flaw: if nobody visits your site, none of those background tasks will run. That means stuff like security updates can be delayed for days, weeks, or *indefinitely*—and WordPress doesn't make this risk clear in the installation or security guides.

The source code itself admits the problem (see the comment here), but average users are left in the dark.

Where's the Problem in the Source Code?

Here's the relevant line from the WordPress core:

/**
 * Retrieve cron info array option.
 *
 * The cron option will be an array of timestamps and names of functions
 * to call at that time.  This option is for internal use only.
 *
 * This implements the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner.
 */
function _get_cron_array() {
    $cron = get_option( 'cron' );
    //...
}

The comment recognizes the downside. If your site isn't getting enough visitors, WordPress can't trigger those scheduled tasks—and you won't be notified.

Real-Life Effects

Imagine a small business blog. It only gets a few visits per week. If a crucial WordPress update—or a plugin update—is released because of a security vulnerability (like the infamous REST API bug in WP 4.7./4.7.1), but no one happens to visit that site in the next few days, the update simply doesn't run.

Is This a Bug or a Feature?

Both. It’s by design, but the risk is not clearly communicated to website owners. The official WordPress security hardening guide and the installation guide don't mention this risk at all.

Can Someone Exploit This?

Yes—although CVE-2023-22622 is more about a lack of defense than an active exploit. *Attackers* can use tools to scan the internet for WordPress sites running outdated software. If they find sites that haven’t triggered scheduled WP updates, they're easy pickings.

How to Check If Your Site Is At Risk

Add this code snippet to your functions.php or run it via a plugin. This will tell you when wp-cron last ran a task:

add_action('admin_notices', function() {
    $cron = get_option('cron');
    if (!$cron) {
        echo "<div class='notice notice-error'><p>No cron jobs found. Your site may not be processing scheduled tasks.</p></div>";
        return;
    }
    $last = ;
    foreach ($cron as $timestamp => $jobs) {
        if (is_numeric($timestamp) && $timestamp > $last) {
            $last = $timestamp;
        }
    }
    $last_run = date('Y-m-d H:i:s', $last);
    echo "<div class='notice notice-info'><p>Last scheduled task was set to run at: $last_run (server time).</p></div>";
});

If the time is days or weeks in the past, your scheduled tasks (and updates) are not running regularly.

How to Fix: Set Up a Real Cron Job

The best practice is to disable WordPress's lazy wp-cron.php and use a real system cron. Here’s how:

Edit your wp-config.php, add this before /* That&#039;s all, stop editing! ... */

define('DISABLE_WP_CRON', true);

Set up a real cron job on your server (cPanel, Plesk, SSH, etc)

*/10 * * * * wget -q -O - https://your-site.com/wp-cron.php?doing_wp_cron >/dev/null 2>&1

This runs wp-cron.php every 10 minutes, no matter whether anyone visits your site or not!

References

- CVE-2023-22622 on NVD
- WordPress Trac: Cron Source Code
- WordPress Security Hardening Guide
- How to Install WordPress
- Official guide to using a real cron

TL;DR

CVE-2023-22622 is a silent problem in WordPress: if your site doesn't get regular visitors, it could miss out on crucial security updates and other scheduled tasks—without warning you. To keep your site safe, set up a real cron job and don't rely on visitor traffic.

Is your site at risk? Check your cron jobs today!

*This article is original, exclusive, and written in simple language for all WordPress users. Stay secure, stay aware.*

Timeline

Published on: 01/05/2023 02:15:00 UTC
Last modified on: 02/02/2023 16:42:00 UTC