What is the CVSS score of CVE-2024-50498?

CVE-2024-50498 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 91.9%.

Which versions of WP Query Console are affected by CVE-2024-50498?

WP Query Console WordPress plugin (all versions ≤1.0) contains a critical remote code execution vulnerability exploitable without any authentication.

Is there a public PoC exploit available for CVE-2024-50498?

Yes, a public proof-of-concept exploit is available for CVE-2024-50498. Prioritise patching immediately. EPSS: 91.9%.

How to fix or mitigate CVE-2024-50498?

Within 24 hours: Audit all WordPress installations for WP Query Console plugin (any version ≤1.0); immediately disable and remove the plugin from all systems. Within 7 days: Verify complete removal through automated scanning; analyze web server logs for POST requests to /wp-content/plugins/wp-query-console/ paths indicating exploitation attempts. Within 30 days: Conduct forensic review of file systems and logs for evidence of compromise; reset all WordPress administrative credentials; restore from known-clean backups if active exploitation is confirmed.

WP Query Console CVE-2024-50498

CRITICAL

Code Injection (CWE-94)

2024-10-28 audit@patchstack.com

RCE Code Injection

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

CVSS changed

Apr 23, 2026 - 15:22 NVD

9.8 (CRITICAL) 10.0 (CRITICAL)

PoC Detected

Apr 01, 2026 - 16:19 vuln.today

Public exploit code

CVE Published

Oct 28, 2024 - 12:15 nvd

CRITICAL 9.8

DescriptionNVD

Improper Control of Generation of Code ('Code Injection') vulnerability in Ajit Bohra WP Query Console wp-query-console allows Code Injection.This issue affects WP Query Console: from n/a through <= 1.0.

AnalysisAI

Remote code execution in the WP Query Console WordPress plugin (versions up to and including 1.0) by Ajit Bohra allows unauthenticated attackers to inject and execute arbitrary PHP code on the server. The CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, and publicly available exploit code combined with an EPSS of 91.90% (100th percentile) indicates very high likelihood of opportunistic exploitation, though the vulnerability is not yet listed in CISA KEV.

Technical ContextAI

WP Query Console is a WordPress utility plugin (CPE cpe:2.3:a:lubus:wp_query_console:*:*:*:*:*:wordpress:*:*) intended to let administrators run and test WP_Query expressions against the WordPress database. The flaw is classified as CWE-94 (Improper Control of Generation of Code, i.e., Code Injection), meaning attacker-supplied input is incorporated into code that the PHP interpreter executes - most commonly via eval(), create_function(), or analogous dynamic execution on the query string parameters the plugin accepts. Because the CVSS vector reports PR:N and S:C, the affected endpoint is reachable without authentication and the executed code can break out of the plugin sandbox to act against the broader WordPress installation and underlying host.

RemediationAI

No vendor-released patch identified at time of analysis - version 1.0 is the latest published release and remains vulnerable, so the most reliable remediation is to deactivate and remove the WP Query Console plugin from any WordPress installation where it is not strictly required, accepting the loss of the in-dashboard WP_Query testing tool. If the plugin must remain installed, restrict access to /wp-admin and any plugin-exposed AJAX or REST endpoints to trusted IPs via a WAF or web server ACL, disable the plugin in production while keeping it only in isolated development environments, and monitor the Patchstack advisory at https://patchstack.com/database/ for any future fixed release to upgrade to. Generic WAF rules blocking PHP language tokens, eval-like payloads, and base64-encoded code in request parameters targeting plugin endpoints can reduce exposure but will not fully close the code-injection sink.

CVE-2024-50498 vulnerability details – vuln.today

Back

WP Query Console CVE-2024-50498

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code