⚠️ Potential ForceOP exploit

[ProJakob]

Sending a plugin message to the channel ecb:channel with the UTF-String contents ActionsSubChannel and console_command: op %player% will result in the plugin running the untrusted command from the packet. This needs bungeecord to be enabled in the spigot.yml file.

Potential fix:
Simply blocking any messages coming on that channel from a client connection via the proxy (Velocity, Bungeecord) would resolve this issue.

[Ajneb97]

This is already being fixed and tested.

[Tjorven-Liebe]

Maybe put this into your consideration PR
@Ajneb97

[ffhgfr7hcdr7jjbcf]

The exploit was being abused by me and my friend for a few weeks now so it isn't "potential" but still nice that you're warning people.