Advisories for Composer/Johnbillion/Wp-Crontrol package

2024

WP Crontrol vulnerable to possible RCE when combined with a pre-condition

WP Crontrol includes a feature that allows administrative users to create events in the WP-Cron system that store and execute PHP code subject to the restrictive security permissions documented here. While there is no known vulnerability in this feature on its own, there exists potential for this feature to be vulnerable to RCE if it were specifically targeted via vulnerability chaining that exploited a separate SQLi (or similar) vulnerability. This …