CVE-2024-28850: 
PHP vulnerability analysis and mitigation

WP Crontrol, a WordPress plugin that controls cron events, was found to have a potential security vulnerability (CVE-2024-28850) that could lead to Remote Code Execution (RCE) when combined with specific pre-conditions. The vulnerability affects versions prior to 1.16.2, with the security fix being released on March 24, 2024. The plugin includes a feature allowing administrative users to create events in the WP-Cron system that store and execute PHP code (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. The issue stems from the plugin's feature that executes stored PHP code in cron events. While this feature itself is not directly vulnerable, it becomes exploitable when combined with other vulnerabilities such as SQL injection, compromised database access, or arbitrary option updates in the wp_options table (GitHub Advisory, WPScan).

If successfully exploited, the vulnerability could allow attackers to execute arbitrary code on the server. This could potentially lead to complete system compromise, data breaches, and unauthorized access to the WordPress installation. The severity is particularly high due to the potential for remote code execution, though the actual risk depends on the presence of specific pre-conditions (GitHub Advisory).

The vulnerability has been patched in WP Crontrol version 1.16.2, which introduces an anti-tampering mechanism for PHP cron events. The update implements an integrity check using HMAC to store a hash of the code alongside the event when saved. The plugin will not execute PHP code if the hash cannot be verified or is absent. Users are strongly advised to upgrade to version 1.16.2 or later, as there are no effective workarounds for this issue (GitHub Release).