CVE-2024-5450 – The Bug Library WordPress plugin before version... (How to Fix)

Q: What is the severity of CVE-2024-5450?

CVE-2024-5450 has a CVSS score of 9.1 (CRITICAL). The Bug Library WordPress plugin before version 2.1.1 has an unrestricted file upload vulnerability that allows unauthenticated attackers to upload PHP files. This can lead to remote code execution on affected WordPress sites. Any WordPress site using the vulnerable plugin version is affected.

📋 TL;DR

The Bug Library WordPress plugin before version 2.1.1 has an unrestricted file upload vulnerability that allows unauthenticated attackers to upload PHP files. This can lead to remote code execution on affected WordPress sites. Any WordPress site using the vulnerable plugin version is affected.

💻 Affected Systems

Products:

Bug Library WordPress Plugin

Versions: All versions before 2.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires plugin to be installed and active on WordPress site.

📦 What is this software?

Bug Library by Bug Library Project

View all CVEs affecting Bug Library →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via remote code execution, allowing attackers to install backdoors, steal data, or pivot to other systems.

🟠

Likely Case

Website defacement, malware distribution, or credential theft through uploaded web shells.

🟢

If Mitigated

No impact if file uploads are blocked at web application firewall level or plugin is disabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request with PHP file upload to bug report endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.1

Vendor Advisory: https://wpscan.com/vulnerability/d91217bc-9f8f-4971-885e-89edc45b2a4d/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Bug Library plugin. 4. Click 'Update Now' to version 2.1.1 or later. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable Bug Library Plugin

linux

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate bug-library

Block Bug Report Endpoint

linux

Use web application firewall or .htaccess to block access to the vulnerable endpoint.

RewriteEngine On
RewriteRule ^wp-content/plugins/bug-library/.*\.php$ - [F,L]

🧯 If You Can't Patch

Remove the Bug Library plugin entirely from the WordPress installation.
Implement strict file upload filtering at the web server level to block PHP file uploads.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Bug Library version number.

Check Version:

wp plugin get bug-library --field=version

Verify Fix Applied:

Confirm Bug Library plugin version is 2.1.1 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-content/plugins/bug-library/ with .php file uploads
Unusual file creation in plugin upload directories

Network Indicators:

POST requests with Content-Type: multipart/form-data to bug library endpoints
File uploads with .php extensions to plugin paths

SIEM Query:

source="web_server" AND (uri_path="/wp-content/plugins/bug-library/" AND method="POST" AND file_extension="php")

📊 Metadata

CVE ID: CVE-2024-5450

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-434

Published: July 13, 2024

Last Updated: May 13, 2025

🔗 References

https://wpscan.com/vulnerability/d91217bc-9f8f-4971-885e-89edc45b2a4d/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/d91217bc-9f8f-4971-885e-89edc45b2a4d/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5450, you might also want to check these: