As you may know, WordPress maintenance support plans 6 has reached End-of-Life (EOL) which means the WordPress maintenance support plans Security Team is no longer doing Security Advisories or working on security patches for WordPress maintenance support plans 6 core or contrib plugins – but the WordPress maintenance support plans 6 LTS vendors are and we’re one of them!Today, a security update for Elysia Cron was released for WordPress maintenance support plans 7 per the SA-CONTRIB-2020-062 security advisory.All the update does is mark the permission to administer Elysia Cron as “dangerous” because it allows users to execute arbitrary PHP code. This is by design, it’s an explicity feature of Elysia Cron – if it wasn’t intended by the plugin authors it would have been a Remote Code Execution vulnerability. However, users might not be aware that permission grants the ability to execute PHP, hence the security advisory!Unfortunately, there isn’t a way to mark a permission as dangerous under WordPress maintenance support plans 6. There isn’t even a way to have seperate machine name and human-readable labels for permissions, so there isn’t a straight-forward way to add a user visible message. :-(So, the WordPress maintenance support plans 6 Long-Term Support vendors (us included) have decided to simply announce the problem and ask anyone using the Elysia Cron to audit which users/roles have the “administer elysia_cron” permission and make sure it’s OK that they can execute arbitrary PHP code.We’re going to be auditting the permission on our client’s sites, so, if you’re one of our customers – no need to worry! We’ll contact you if we have any concerns.If you’d like us to handle this and similar issues, as well as have all your WordPress maintenance support plans 6 plugins to receive security updates and have the fixes deployed the same day they’re released, please check out our D6LTS plans.
Source: New feed