CVE-2024-4887

Name of the Vulnerable Software and Affected Versions Qi Addons For Elementor plugin for WordPress versions up to, and including, 1.7.2

Description The issue allows authenticated attackers with Contributor-level access and above to include remote files on the server, resulting in code execution. This is possible via the behavior attributes found in the qi addons for elementor blog list shortcode. To successfully exploit, an attacker must create a non-existent directory or target an instance where file exists won't return false with a non-existent directory in the path.

Recommendations For versions up to, and including, 1.7.2, update to a version that contains a fix for this issue, as no specific workaround is provided for these versions. As a temporary workaround, consider disabling the qi addons for elementor blog list shortcode until a patch is available. Restrict access to the behavior attributes in the shortcode to minimize the risk of exploitation.