CVE-2024-50498
published 2024-10-28CVE-2024-50498: Improper Control of Generation of Code ('Code Injection') vulnerability in Ajit Bohra WP Query Console wp-query-console allows Code Injection.This issue…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
53.64%
98.9th percentile
Improper Control of Generation of Code ('Code Injection') vulnerability in Ajit Bohra WP Query Console wp-query-console allows Code Injection.This issue affects WP Query Console: from n/a through <= 1.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ajit_bohra | wp_query_console | <= 1.0 | — |
| lubus | wp_query_console | <= 1.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit traffic is an unauthenticated POST request to the REST endpoint /index.php?rest_route=/wqc/v1/query with a JSON body containing 'queryArgs' (PHP code) and 'queryType'. No authentication required. ↗
- →Presence of the wp-query-console plugin directory on a WordPress site (wp-content/plugins/wp-query-console/) is a strong indicator of potential exposure or active targeting. ↗
- ·The vulnerability affects WP Query Console version 1.0 and below only. The plugin has not been updated in over 7 years and has no patched version available; removal is the only remediation. ↗
- ·The exploit requires no authentication (PR:N) and no user interaction (UI:N), making it trivially exploitable remotely against any WordPress site with the plugin installed. ↗
- ·EPSS score of 0.91902 (99.694th percentile) indicates extremely high probability of exploitation in the wild; treat as actively exploited. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-36p8-9jxx-p4v9: Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection
ghsa_unreviewed·2024-10-28
CVE-2024-50498 [CRITICAL] CWE-94 GHSA-36p8-9jxx-p4v9: Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection
Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection.This issue affects WP Query Console: from n/a through 1.0.
VulnCheck
lubus wp_query_console Improper Control of Generation of Code ('Code Injection')
vulncheck·2024·CVSS 9.8
CVE-2024-50498 [CRITICAL] lubus wp_query_console Improper Control of Generation of Code ('Code Injection')
lubus wp_query_console Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection') vulnerability in Ajit Bohra WP Query Console wp-query-console allows Code Injection.This issue affects WP Query Console: from n/a through <= 1.0.
Affected: lubus wp_query_console
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-06-08&host_type=src&vulnerability=cve-2024-50498; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-06-09&host_type=src&vulnerability=cve-2024-50498; https://dashboard.shadowserver.
No detection rules found.
Nuclei
WP Query Console <= 1.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-50498 [CRITICAL] WP Query Console <= 1.0 - Remote Code Execution
WP Query Console <= 1.0 - Remote Code Execution
Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection.This issue affects WP Query Console- from n/a through 1.0.
Template:
id: CVE-2024-50498
info:
name: WP Query Console <= 1.0 - Remote Code Execution
author: s4e-io
severity: critical
description: |
Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection.This issue affects WP Query Console- from n/a through 1.0.
impact: |
Attackers can exploit vulnerabilities to compromise the system.
remediation: |
Update to the latest patched version addressing CVE-2024-50498.
reference:
- https://github.com/RandomRobbieBF/CVE-2024-50498
- https://www.wordfence.com/threat-in
2024-10-28
Published
Exploited in the wild