Plugin Name: Qi Addons For Elementor
Key Information:
- Software Type: Plugin
- Software Slug: qi-addons-for-elementor
- Software Status: Active
- Software Author: qodeinteractive
- Software Downloads: 2,212,748
- Active Installs: 200,000
- Last Updated: June 20, 2024
- Patched Versions: 1.7.3
- Affected Versions: <= 1.7.2
Vulnerability Details:
- Name: Qi Addons For Elementor <= 1.7.2
- Title: Authenticated (Contributor+) Local File Inclusion
- Type: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- CVE: CVE-2024-4887
- CVSS Score: 7.5
- Publicly Published: June 6, 2024
- Researcher: haidv35 - VCS
- Description: The Qi Addons For Elementor plugin for WordPress is vulnerable to Remote File Inclusion in versions up to and including 1.7.2 via the 'behavior' attribute in the qi_addons_for_elementor_blog_list shortcode. This allows authenticated attackers, with Contributor-level access and above, to include remote files on the server, potentially leading to arbitrary code execution.
Summary:
The Qi Addons For Elementor plugin for WordPress has a vulnerability in versions up to and including 1.7.2 that allows authenticated attackers with Contributor-level access and above to include remote files on the server via the 'behavior' attribute in a shortcode. This vulnerability has been patched in version 1.7.3.
Detailed Overview:
The vulnerability stems from inadequate validation of user-supplied input in the 'behavior' attribute of the qi_addons_for_elementor_blog_list shortcode. Attackers can exploit this flaw to execute arbitrary code by including remote files on the server. The risk includes unauthorized access, data theft, and potential server compromise. Patching to version 1.7.3 removes this security issue by implementing proper input validation and handling.
Advice for Users:
Immediate Action: Update the Qi Addons For Elementor plugin to version 1.7.3 immediately to mitigate the risk of exploitation. Check for Signs of Vulnerability: Monitor server logs for any suspicious file inclusions or unexpected server behaviors that may indicate compromise. Alternate Plugins: Consider temporarily disabling the plugin until the update is applied or explore alternative plugins that offer similar functionality with better security practices. Stay Updated: Regularly update all WordPress plugins to their latest versions to prevent vulnerabilities and ensure site security.
Conclusion:
The swift release of version 1.7.3 by the Qi Addons For Elementor plugin developers highlights the critical need for timely updates in securing WordPress sites. Users should ensure they are running version 1.7.3 or newer to protect their WordPress installations from potential exploits.
References:
Detailed Report:
In today's digital age, maintaining the security of your WordPress website is non-negotiable. The Qi Addons For Elementor plugin, used by over 200,000 active installations, recently came under scrutiny due to a critical vulnerability. Identified as Authenticated (Contributor+) Local File Inclusion (CVE-2024-4887), this flaw allows authenticated attackers with Contributor-level access and above to exploit the 'behavior' attribute in the qi_addons_for_elementor_blog_list shortcode. By leveraging this vulnerability, attackers can inject and execute malicious code on the server, potentially compromising sensitive data or even gaining unauthorized access to the entire website.
Summary:
The Qi Addons For Elementor plugin for WordPress has a vulnerability in versions up to and including 1.7.2 that allows authenticated attackers with Contributor-level access and above to include remote files on the server via the 'behavior' attribute in a shortcode. This vulnerability has been patched in version 1.7.3.
Detailed Overview:
The vulnerability stems from inadequate validation of user-supplied input in the 'behavior' attribute of the qi_addons_for_elementor_blog_list shortcode. Attackers can exploit this flaw to execute arbitrary code by including remote files on the server. The risk includes unauthorized access, data theft, and potential server compromise. Patching to version 1.7.3 removes this security issue by implementing proper input validation and handling.
Advice for Users:
Immediate Action: Update the Qi Addons For Elementor plugin to version 1.7.3 immediately to mitigate the risk of exploitation. Regularly check for Signs of Vulnerability by monitoring server logs for any suspicious file inclusions or unexpected server behaviors that may indicate compromise. Consider temporarily disabling the plugin until the update is applied or explore alternative plugins that offer similar functionality with better security practices. Always Stay Updated by regularly updating all WordPress plugins to their latest versions to prevent vulnerabilities and ensure site security.
Conclusion:
The swift release of version 1.7.3 by the Qi Addons For Elementor plugin developers highlights the critical need for timely updates in securing WordPress sites. Users should ensure they are running version 1.7.3 or newer to protect their WordPress installations from potential exploits.
Previous vulnerabilities:
There have been 5 previous vulnerabilities since November 9, 2023.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.