Share
## https://sploitus.com/exploit?id=DF12B550-E5D0-543E-A5D3-9C5CF3A5FA5E
# CVE-2024-50498 / 0-Click RCE Exploit

- Author: Joshua Provoste
- https://x.com/JoshuaProvoste/status/1858512517774868845

![CVE-2024-50498](CVE-2024-50498.PNG)

This repository contains a proof-of-concept exploit for CVE-2024-50498, an unauthenticated code injection vulnerability in the LUBUS WP Query Console WordPress plugin, leading to remote command execution (RCE).

## What the script does

The script sends a crafted POST request to a vulnerable REST endpoint to inject and execute arbitrary PHP code. It writes a web shell into the WordPress uploads directory, detects the target operating system, and provides an interactive remote shell.

## Usage

```
python CVE-2024-50498.py --target http://target-wordpress-site
```


After execution, the script deploys the payload, verifies its accessibility, detects the OS, and drops into an interactive shell.

## Notes

- No authentication required (pre-auth / 0-click).