Search for packages
| purl | pkg:composer/johnbillion/wp-crontrol@1.13.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-t9jk-6dsr-7ues
Aliases: CVE-2024-28850 GHSA-9xvf-cjvf-ff5q |
WP Crontrol vulnerable to possible RCE when combined with a pre-condition WP Crontrol includes a feature that allows administrative users to create events in the WP-Cron system that store and execute PHP code [subject to the restrictive security permissions documented here](https://wp-crontrol.com/docs/php-cron-events/). While there is _no known vulnerability in this feature on its own_, there exists potential for this feature to be vulnerable to RCE if it were specifically targeted via vulnerability chaining that exploited a separate SQLi (or similar) vulnerability. This is exploitable on a site if one of the below preconditions are met: * The site is vulnerable to a writeable SQLi vulnerability in any plugin, theme, or WordPress core * The site's database is compromised at the hosting level * The site is vulnerable to a method of updating arbitrary options in the `wp_options` table * The site is vulnerable to a method of triggering an arbitrary action, filter, or function with control of the parameters |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-01T07:56:58.238037+00:00 | GitLab Importer | Affected by | VCID-t9jk-6dsr-7ues | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/johnbillion/wp-crontrol/CVE-2024-28850.yml | 38.6.0 |