=1.17.0, <1.19.2

Q: How to fix?

Upgrade johnbillion/wp-crontrol to version 1.19.2 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PHP-JOHNBILLIONWPCRONTROL-12089396
published21 Aug 2025
disclosed19 Aug 2025
creditJonas Benjamin Friedli

Report a new vulnerability Found a mistake?

Introduced: 19 Aug 2025

NewCVE-2025-8678 (opens in a new tab) CWE-918 (opens in a new tab)

How to fix?

Upgrade johnbillion/wp-crontrol to version 1.19.2 or higher.

Overview

johnbillion/wp-crontrol is a package that allows you to take control of the cron events on your WordPress website.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the wp_remote_request function. An attacker can send arbitrary HTTP requests from the server to internal or external locations by crafting malicious cron events. This is only exploitable if the attacker has Administrator-level access.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
Low
Availability (SA)
Low