CVE-2024-4887
Published: 07 June 2024
Summary
CVE-2024-4887 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Qodeinteractive Qi Addons For Elementor. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 37.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Qi Addons For Elementor plugin for WordPress is vulnerable to local file inclusion in all versions through 1.7.2. The flaw exists in the qi_addons_for_elementor_blog_list shortcode, where the behavior attribute is processed without sufficient path validation, allowing inclusion of arbitrary server-side PHP files.
Authenticated users with Contributor privileges or higher can exploit the issue by supplying a crafted shortcode attribute. Successful exploitation requires the attacker to create a non-existent directory or target an instance where file_exists does not return false on an invalid path; once triggered, the attacker can execute any PHP code present in the included file, bypassing access controls, reading sensitive data, or achieving remote code execution when PHP file uploads are possible.
Public references point to a fix committed in changeset 3096634 of the plugin repository, which updates the helper.php file responsible for handling the affected shortcode attribute. Administrators are therefore advised to apply the latest plugin release that contains this change.
EPSS for the vulnerability rose from a low baseline to a peak of 0.1811 before receding to the current value of 0.0043, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44457
Vulnerability details
The Qi Addons For Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possible for authenticated attackers, with Contributor-level…
more
access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. Please note that this requires an attacker to create a non-existent directory or target an instance where file_exists won't return false with a non-existent directory in the path, in order to successfully exploit.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.