CVE-2024-50498

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Oct 28, 2024 / Updated: 22d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection. This issue affects WP Query Console versions from an unspecified point through version 1.0.

Impact

This vulnerability has a CVSS v3.1 base score of 10.0, which is the highest possible severity. The attack vector is network-based, requires low complexity, and needs no user interaction or privileges. It can lead to a complete compromise of confidentiality, integrity, and availability of the affected system. The scope is changed, meaning the vulnerable component impacts resources beyond its security scope. Attackers could potentially execute arbitrary code, manipulate data, or gain unauthorized access to the WordPress installation and possibly the underlying server.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

There is no specific information provided about a patch. However, given that the vulnerability affects WP Query Console through version 1.0, it's likely that users should update to a version newer than 1.0 if available. If no patch is available, users should consider disabling or removing the WP Query Console plugin until a fix is released.

Mitigation

1. Update the WP Query Console plugin to a version newer than 1.0 if available. 2. If no update is available, consider disabling or removing the WP Query Console plugin. 3. Implement strong input validation and sanitization for all user inputs. 4. Use WordPress security plugins to add an extra layer of protection. 5. Regularly monitor WordPress and plugin logs for suspicious activities. 6. Implement the principle of least privilege for WordPress user roles. 7. Use a Web Application Firewall (WAF) to filter malicious requests. 8. Keep WordPress core, all themes, and plugins up to date. 9. Conduct regular security audits of the WordPress installation.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-50498

Oct 28, 2024 at 12:15 PM
First Article

Feedly found the first article mentioning CVE-2024-50498. See article

Oct 28, 2024 at 12:21 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 28, 2024 at 12:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.9%)

Oct 29, 2024 at 9:43 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152343)

Oct 30, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Lubus/wp_query_console
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI