CVE-2024-13699
📋 TL;DR
The Qi Addons For Elementor WordPress plugin has a stored cross-site scripting vulnerability in the 'cursor' parameter that allows authenticated attackers with Contributor access or higher to inject malicious scripts. These scripts execute when users view compromised pages, potentially stealing credentials or performing unauthorized actions. All versions up to 1.8.7 are affected, with partial patches in 1.8.5-1.8.7 that didn't fully address the issue.
💻 Affected Systems
- Qi Addons For Elementor WordPress plugin
📦 What is this software?
Qi Addons For Elementor by Qodeinteractive
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over websites, deface content, or redirect users to malicious sites, potentially leading to complete site compromise and data theft.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, perform actions as authenticated users, or display phishing content to visitors.
If Mitigated
With proper input validation and output escaping, malicious scripts are neutralized, preventing execution while maintaining plugin functionality.
🎯 Exploit Status
Exploitation requires authenticated access (Contributor role or higher). The vulnerability is in a widely used plugin, making it an attractive target.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.8.7 (check for latest update)
Vendor Advisory: https://plugins.trac.wordpress.org/browser/qi-addons-for-elementor/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Qi Addons For Elementor'. 4. Click 'Update Now' if available. 5. If no update appears, manually download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allTemporarily disable the typeout-text shortcode functionality until patched
Edit wp-config.php and add: define('DISABLE_QI_TYPEOUT', true);
Restrict contributor permissions
allTemporarily remove contributor ability to edit posts/pages
Use WordPress role editor plugin to modify contributor capabilities
🧯 If You Can't Patch
- Disable the Qi Addons For Elementor plugin completely
- Implement web application firewall (WAF) rules to block XSS payloads in cursor parameter
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Qi Addons For Elementor → Version. If version is 1.8.7 or lower, you're vulnerable.Check Version:
wp plugin list --name='qi-addons-for-elementor' --field=versionVerify Fix Applied:
After updating, verify version is above 1.8.7. Test cursor parameter input with basic XSS payloads like <script>alert('test')</script> to ensure sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php with cursor parameter containing script tags
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected iframe or script injections in page responses
SIEM Query:
source="wordpress.log" AND "cursor=" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://plugins.trac.wordpress.org/browser/qi-addons-for-elementor/trunk/inc/shortcodes/typeout-text/class-qiaddonsforelementor-typeout-text-shortcode.php
- https://plugins.trac.wordpress.org/changeset/3230342/
- https://plugins.trac.wordpress.org/changeset/3231980/
- https://plugins.trac.wordpress.org/changeset/3232550/
- https://plugins.trac.wordpress.org/changeset/3234136/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/add39d28-4070-44e2-8dff-0371e0c58453?source=cve
