CVE-2023-22622: 
NixOS vulnerability analysis and mitigation

CVE-2023-22622 is a security concern in WordPress's task scheduling implementation (WP-Cron) discovered in January 2023. The vulnerability stems from WordPress's reliance on site visitors to trigger scheduled tasks, which could lead to important scheduled tasks (such as software updates) running inconsistently or not at all. This particularly affects WordPress installations with low-to-no traffic, such as sites running on private networks, docker images, strictly firewalled environments, development/staging environments, and VPN-accessible sites (Patchstack).

The vulnerability is classified as a CWE-392 (Missing Error Report) concern. WP-Cron functions more like a queue than a traditional scheduler, checking for pending tasks during page loads rather than running as a persistent background process. When a request comes to the site, WordPress generates an additional request to wp-cron.php over HTTP(S), which can lead to resource usage spikes and unnecessary traffic in high-traffic scenarios. The vulnerability has been assigned a CVSS v3 base score of 5.3 (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) (Tenable).

The primary impact of this vulnerability is the potential failure of critical scheduled tasks, particularly in low-traffic environments. Important operations such as checking for updates in plugins, themes, and WordPress core, as well as performing the updates themselves, may not execute in a timely manner. This could leave WordPress installations vulnerable to security issues by missing important security updates (Patchstack).

WordPress has implemented several mitigations including Site Health checks to report when scheduled events are not performed and notifications for users with automatic updates enabled when tasks fail to run. For a more permanent solution, site administrators can disable the default WP-Cron behavior by adding 'DISABLEWPCRON' set to true in wp-config.php and setting up a system-level cron job to handle scheduled tasks. This ensures tasks run on a predictable schedule regardless of site traffic (Patchstack).