Qi Addons For Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0826 | WordPress Plugin Vulnerability Report

Plugin Name: Qi Addons For Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: qi-addons-for-elementor
  • Software Status: Active
  • Software Author: qodeinteractive
  • Software Downloads: 1,685,695
  • Active Installs: 100,000
  • Last Updated: March 19, 2024
  • Patched Versions: 1.6.8
  • Affected Versions: <= 1.6.7

Vulnerability Details:

  • Name: Qi Addons For Elementor <= 1.6.7
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-0826
  • CVSS Score: 6.4
  • Publicly Published: March 18, 2024
  • Researcher: Webbernaut
  • Description: The Qi Addons For Elementor plugin is susceptible to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.6.7, due to inadequate input sanitization and output escaping on user-supplied attributes. This vulnerability allows authenticated attackers, with contributor or higher permissions, to embed arbitrary web scripts into pages, which execute whenever an affected page is accessed.


Qi Addons For Elementor, a popular plugin designed to enhance Elementor with additional widgets and features, contains a vulnerability in versions up to and including 1.6.7. This vulnerability, identified as CVE-2024-0826, involves Stored Cross-Site Scripting and has been effectively patched in version 1.6.8.

Detailed Overview:

This security flaw was brought to light by the researcher Webbernaut, revealing a significant risk associated with the plugin's widgets. By failing to properly sanitize and escape input from users, the plugin opened a door for attackers with at least contributor permissions to inject harmful scripts into web pages. Such scripts could be executed unknowingly by any user visiting the compromised page, leading to potential data theft, account compromise, and other security breaches.

Advice for Users:

  • Immediate Action: To mitigate this risk, users of the Qi Addons For Elementor plugin are advised to update to the patched version 1.6.8 immediately.
  • Check for Signs of Vulnerability: Website administrators should review their sites for any unusual content, especially within pages utilizing Elementor and Qi Addons widgets, and audit user roles to ensure only trusted users have the capability to edit content.
  • Alternate Plugins: While the patch resolves this specific issue, users might consider evaluating alternative plugins for Elementor that offer similar functionality, to diversify their site's dependency on single plugins.
  • Stay Updated: The cornerstone of plugin security lies in regular updates. Ensure that all WordPress plugins, themes, and the core itself are kept up-to-date to protect against known vulnerabilities.


The prompt patching of CVE-2024-0826 by Qi Addons For Elementor's developers serves as a reminder of the critical importance of software maintenance in the digital landscape. Users must remain vigilant, ensuring their site's components are current to safeguard against potential threats. This incident reinforces the ongoing need for the WordPress community to prioritize security in plugin development and usage.


Detailed Report: 

In today's digital ecosystem, the integrity and security of a website are paramount, particularly for small businesses that heavily rely on their online presence. The recent discovery of a significant vulnerability in the Qi Addons For Elementor plugin serves as a crucial reminder of the ever-present need for vigilance and timely updates in website management. Identified as CVE-2024-0826, this vulnerability not only highlights the inherent risks in using third-party plugins but also underscores the importance of maintaining them to safeguard against potential threats.

Qi Addons For Elementor: Enhancing Elementor's Capabilities

Qi Addons For Elementor, developed by qodeinteractive, is a popular plugin designed to augment the Elementor page builder with additional widgets and features. Boasting over 1.6 million downloads and 100,000 active installations, its widespread use within the WordPress community is a testament to its utility. However, this utility comes with the responsibility of ensuring its security, as evidenced by the recent vulnerability.

The Vulnerability: CVE-2024-0826 Unveiled

CVE-2024-0826, an Authenticated Stored Cross-Site Scripting (XSS) vulnerability, was discovered in versions of Qi Addons For Elementor up to and including 1.6.7. This flaw was due to insufficient input sanitization and output escaping on user-supplied attributes, allowing attackers with contributor-level access or higher to embed arbitrary web scripts into pages. Such scripts, when executed, could lead to unauthorized access, data breaches, and other security compromises, particularly on websites hosted on servers where these permissions could be exploited.

Risks and Impacts: Understanding the Threat

The implications of CVE-2024-0826 are far-reaching, with the potential to compromise the security of any WordPress site using an affected version of the plugin. The execution of malicious scripts could lead to the theft of sensitive information, unauthorized control over the website, and erosion of visitor trust. For small businesses, such breaches can have devastating consequences, from financial losses to irreparable damage to reputation.

Remediation: Steps to Secure Your Site

In response to the discovery of CVE-2024-0826, the developers of Qi Addons For Elementor promptly released a patched version, 1.6.8, effectively addressing the vulnerability. Users of the plugin are strongly advised to update to this version immediately to secure their sites. Additionally, conducting regular site audits, monitoring user roles and permissions, and staying informed about potential vulnerabilities are key practices in maintaining site security.

Historical Vulnerabilities: A Pattern of Concern

This is not the first instance of vulnerability within Qi Addons For Elementor, with two other issues reported since November 9, 2023. This pattern emphasizes the critical nature of continuous monitoring and updating of plugins to protect against emerging threats.

The Imperative of Proactive Security Measures

For small business owners managing WordPress websites, the discovery of vulnerabilities like CVE-2024-0826 serves as a poignant reminder of the importance of proactive security measures. Staying abreast of updates, understanding the plugins in use, and implementing security best practices are not just recommendations but necessities in today's digital age. Ensuring the security of your website not only protects your business but also preserves the trust and confidence of your customers.

In conclusion, the ever-evolving landscape of website security demands constant vigilance from website owners. The case of CVE-2024-0826 within Qi Addons For Elementor is a stark reminder of the ongoing need to prioritize the security of digital assets. By adopting a proactive approach to plugin management and security, small business owners can significantly mitigate the risks posed by such vulnerabilities, ensuring the resilience and reliability of their online presence.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Qi Addons For Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0826 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment