Cyber Resilience

CVE-2024-4887

High

Published: 07 June 2024

Published
07 June 2024
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0043 62.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-4887 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Qodeinteractive Qi Addons For Elementor. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 37.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Qi Addons For Elementor plugin for WordPress is vulnerable to local file inclusion in all versions through 1.7.2. The flaw exists in the qi_addons_for_elementor_blog_list shortcode, where the behavior attribute is processed without sufficient path validation, allowing inclusion of arbitrary server-side PHP files.

Authenticated users with Contributor privileges or higher can exploit the issue by supplying a crafted shortcode attribute. Successful exploitation requires the attacker to create a non-existent directory or target an instance where file_exists does not return false on an invalid path; once triggered, the attacker can execute any PHP code present in the included file, bypassing access controls, reading sensitive data, or achieving remote code execution when PHP file uploads are possible.

Public references point to a fix committed in changeset 3096634 of the plugin repository, which updates the helper.php file responsible for handling the affected shortcode attribute. Administrators are therefore advised to apply the latest plugin release that contains this change.

EPSS for the vulnerability rose from a low baseline to a peak of 0.1811 before receding to the current value of 0.0043, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Qi Addons For Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possible for authenticated attackers, with Contributor-level…

more

access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. Please note that this requires an attacker to create a non-existent directory or target an instance where file_exists won't return false with a non-existent directory in the path, in order to successfully exploit.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qodeinteractive
qi addons for elementor
≤ 1.7.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References