CVE-2024-50498 — AI Deep Analysis Summary

🚨 **Essence**: Unauthenticated Remote Code Execution (RCE) via Code Injection.…

🛡️ **CWE**: CWE-94 (Improper Control of Generation of Code). 🔍 **Flaw**: The plugin fails to properly sanitize or control user input when generating code.…

📦 **Vendor**: Ajit Bohra / LUBUS. 📉 **Affected Product**: WP Query Console. 📅 **Versions**: All versions up to and including **1.0**. If you are running v1.0 or earlier, you are at risk.

💀 **Privileges**: Full Server Control (Root/Admin). 📂 **Data**: Complete access to database, files, and server environment.…

⚡ **Threshold**: EXTREMELY LOW. 🚫 **Auth**: Unauthenticated (No login required). 🖱️ **UI**: No user interaction needed. 🎯 **Difficulty**: Low (CVSS AC:L).…

🔥 **Public Exploits**: YES. Multiple PoCs exist on GitHub (e.g., by RandomRobbieBF, p0et08, Nxploited). 🛠️ **Tools**: Automated scripts allow easy RCE, reverse shells, and web shell deployment.…

🔍 **Self-Check**: Scan for the endpoint `/wp-json/wqc/v1/query`. 🧪 **Test**: Send a POST request with a malicious query payload.…

🩹 **Fix**: Update WP Query Console to a version **greater than 1.0**. 📢 **Status**: The vendor has acknowledged the issue. Check for the latest release on the WordPress plugin repository or vendor site immediately.

🚧 **No Patch?**: 1. **Disable/Deactivate** the plugin immediately. 2. **Remove** the plugin files if possible. 3. **WAF**: Block access to `/wp-json/wqc/v1/query`. 4.…

🚨 **Urgency**: CRITICAL (Priority 1). ⏳ **Time**: Act NOW. With unauthenticated RCE and public exploits, automated bots are likely scanning for this already.…