CVE-2024-50457 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2024-50457?

CVE-2024-50457 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to include arbitrary local files in WordPress sites using the Qode Essential Addons plugin. Attackers can potentially read sensitive files or execute code by manipulating file inclusion parameters. All WordPress sites running vulnerable versions of Qode Essential Addons are affected.

📋 TL;DR

This vulnerability allows attackers to include arbitrary local files in WordPress sites using the Qode Essential Addons plugin. Attackers can potentially read sensitive files or execute code by manipulating file inclusion parameters. All WordPress sites running vulnerable versions of Qode Essential Addons are affected.

💻 Affected Systems

Products:

Qode Essential Addons for WordPress

Versions: All versions up to and including 1.6.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with the Qode Essential Addons plugin installed and activated.

📦 What is this software?

Qode Essential Addons by Qodeinteractive

View all CVEs affecting Qode Essential Addons →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete site compromise, data theft, and server takeover.

🟠

Likely Case

Local file inclusion allowing reading of sensitive configuration files (wp-config.php) and potential information disclosure.

🟢

If Mitigated

Limited impact if file permissions are restrictive and web server runs with minimal privileges.

🌐 Internet-Facing: HIGH - WordPress plugins are typically internet-facing and this vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal WordPress sites could still be targeted by internal threats or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward as it involves manipulating URL parameters to include local files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.4 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/qode-essential-addons/wordpress-qode-essential-addons-plugin-1-6-3-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find Qode Essential Addons. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.6.4+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate Qode Essential Addons until patched

wp plugin deactivate qode-essential-addons

Restrict file inclusion

linux

Add web server rules to block file inclusion attempts

# Apache: Add to .htaccess
RewriteCond %{QUERY_STRING} (.*)include(.*)
RewriteRule .* - [F,L]
# Nginx: Add to server block
if ($args ~* "include") { return 403; }

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file inclusion patterns
Restrict web server permissions to prevent reading sensitive files

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Qode Essential Addons version. If version is 1.6.3 or lower, you are vulnerable.

Check Version:

wp plugin get qode-essential-addons --field=version

Verify Fix Applied:

Verify plugin version is 1.6.4 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with 'include' or 'require' parameters in query strings
Access to sensitive files like wp-config.php from web requests

Network Indicators:

Unusual file paths in URL parameters
Multiple requests with varying file inclusion attempts

SIEM Query:

web.url:*include* OR web.url:*require* AND web.url:*qode-essential-addons*

📊 Metadata

CVE ID: CVE-2024-50457

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

Published: October 28, 2024

Last Updated: January 26, 2026

🔗 References

https://patchstack.com/database/vulnerability/qode-essential-addons/wordpress-qode-essential-addons-plugin-1-6-3-local-file-inclusion-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50457, you might also want to check these: