Remote File Inclusion Vulnerability in Qi Addons For Elementor Plugin
CVE-2024-4887

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Qi Addons For Elementor
Vendor: CVE Published:; 7 June 2024

Summary

The Qi Addons For Elementor plugin for WordPress contains a vulnerability that allows Remote File Inclusion through the 'behavior' attributes in the qi_addons_for_elementor_blog_list shortcode. Attackers with Contributor-level access or higher can exploit this flaw to include arbitrary remote files on the server, potentially leading to unauthorized code execution. Successful exploitation hinges on the attacker being able to create a non-existent directory or finding a target instance where the file_exists function will not return false for a non-existent directory, facilitating the inclusion of malicious code.

Affected Version(s)

Qi Addons For Elementor * <= 1.7.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3096634/qi-a...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 7, 2024
Vulnerability Reserved
May 14, 2024

Credit

haidv35