Cyber Resilience

CVE-2023-22622

Medium

Published: 05 January 2023

Published
05 January 2023
Modified
07 April 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0842 92.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22622 is a medium-severity an unspecified weakness vulnerability in Wordpress Wordpress. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

WordPress through version 6.1.1 relies on unpredictable client visits to trigger execution of wp-cron.php, which in turn handles scheduled security updates and other tasks. The wp-cron.php source code itself acknowledges the risk that low-traffic sites may not execute these tasks promptly, yet neither the installation guide nor the security documentation warns administrators about this default behavior or the resulting exposure on installations that receive few visits.

An attacker positioned on an adjacent network can leverage the high-complexity conditions described in the CVSS vector to interfere with cron execution, resulting in high impact to availability while requiring no privileges or user interaction. This leaves affected sites without timely security updates or other scheduled maintenance when visit volume is insufficient to drive wp-cron.php.

Advisories and references, including the Patchstack article on solving unpredictable wp-cron problems and the official WordPress security page, point to replacing the default visit-triggered mechanism with a system cron job or equivalent external scheduler to ensure reliable execution regardless of traffic levels. The associated EPSS score reached a peak of 0.1026 before receding to its current value of 0.0842, indicating modest post-disclosure interest that has since declined.

EU & UK References

Vulnerability details

WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner,"…

more

but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wordpress
wordpress
≤ 6.1.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References