CVE-2024-4887

The Qi Addons For Elementor plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include remote files on the server, resulting in code execution. Please note that this requires an attacker to create a non-existent directory or target an instance where file_exists won't return false with a non-existent directory in the path, in order to successfully exploit.
Configurations

Configuration 1 (hide)

cpe:2.3:a:qodeinteractive:qi_addons_for_elementor:*:*:*:*:*:wordpress:*:*

History

29 Oct 2024, 19:52

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/changeset/3096634/qi-addons-for-elementor/trunk/inc/admin/helpers/helper.php - () https://plugins.trac.wordpress.org/changeset/3096634/qi-addons-for-elementor/trunk/inc/admin/helpers/helper.php - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/284daad9-d31e-4d29-ac15-ba293ba9640d?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/284daad9-d31e-4d29-ac15-ba293ba9640d?source=cve - Third Party Advisory
First Time Qodeinteractive qi Addons For Elementor
Qodeinteractive
CWE CWE-706
CPE cpe:2.3:a:qodeinteractive:qi_addons_for_elementor:*:*:*:*:*:wordpress:*:*

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) El complemento Qi Addons For Elementor para WordPress es vulnerable a la inclusión remota de archivos en todas las versiones hasta la 1.7.2 incluida a través de los atributos de 'comportamiento' que se encuentran en el código corto qi_addons_for_elementor_blog_list. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, incluyan archivos remotos en el servidor, lo que resulta en la ejecución de código. Tenga en cuenta que esto requiere que un atacante cree un directorio inexistente o apunte a una instancia donde file_exists no devuelva false con un directorio inexistente en la ruta, para poder explotar con éxito.

07 Jun 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-07 04:15

Updated : 2024-10-29 19:52


NVD link : CVE-2024-4887

Mitre link : CVE-2024-4887

CVE.ORG link : CVE-2024-4887


JSON object : View

Products Affected

qodeinteractive

  • qi_addons_for_elementor
CWE
CWE-706

Use of Incorrectly-Resolved Name or Reference