CVE-2024-4887
📋 TL;DR
The Qi Addons For Elementor WordPress plugin has a Remote File Inclusion vulnerability that allows authenticated attackers with Contributor-level access or higher to include remote files on the server, potentially leading to code execution. This affects all versions up to and including 1.7.2. Attackers need to create a non-existent directory or target specific server configurations to successfully exploit.
💻 Affected Systems
- Qi Addons For Elementor WordPress Plugin
📦 What is this software?
Qi Addons For Elementor by Qodeinteractive
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with remote code execution, data theft, and complete system control.
Likely Case
Unauthorized file upload leading to backdoor installation, data exfiltration, or website defacement.
If Mitigated
Limited impact due to proper access controls and monitoring preventing successful exploitation.
🎯 Exploit Status
Requires authenticated access and specific server conditions. Public exploit details are limited but the vulnerability is well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3096634/qi-addons-for-elementor/trunk/inc/admin/helpers/helper.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Qi Addons For Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.7.3+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Restrict Contributor Access
linuxTemporarily remove Contributor role access until patch is applied.
wp user list --role=contributor --field=ID | xargs wp user set-role subscriber
Disable Plugin
linuxDeactivate the vulnerable plugin until patched.
wp plugin deactivate qi-addons-for-elementor
🧯 If You Can't Patch
- Implement strict user role management and audit Contributor-level accounts
- Enable web application firewall rules to block remote file inclusion attempts
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.7.2 or lower, you are vulnerable.Check Version:
wp plugin get qi-addons-for-elementor --field=versionVerify Fix Applied:
Verify plugin version is 1.7.3 or higher after update. Test that blog list shortcode functionality still works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual file inclusion attempts in web server logs
- Suspicious POST requests to admin-ajax.php with 'behavior' parameters
- Unexpected file uploads to wp-content/uploads
Network Indicators:
- HTTP requests containing 'qi_addons_for_elementor_blog_list' with external URLs
- Outbound connections to suspicious domains following plugin requests
SIEM Query:
source="web_server" AND (uri="*/admin-ajax.php" AND parameters CONTAINS "behavior") OR (user_agent CONTAINS "wp-json" AND parameters CONTAINS "qi_addons")🔗 References
- https://plugins.trac.wordpress.org/changeset/3096634/qi-addons-for-elementor/trunk/inc/admin/helpers/helper.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/284daad9-d31e-4d29-ac15-ba293ba9640d?source=cve
- https://plugins.trac.wordpress.org/changeset/3096634/qi-addons-for-elementor/trunk/inc/admin/helpers/helper.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/284daad9-d31e-4d29-ac15-ba293ba9640d?source=cve
