Qi Addons For Elementor Vulnerability – Authenticated Stored Cross-Site Scripting via Countdown Widget – CVE-2024-3309 | WordPress Plugin Vulnerability Report

Plugin Name: Qi Addons For Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: qi-addons-for-elementor
  • Software Status: Active
  • Software Author: qodeinteractive
  • Software Downloads: 1,882,207
  • Active Installs: 200,000
  • Last Updated: May 10, 2024
  • Patched Versions: 1.7.1
  • Affected Versions: <= 1.7.0

Vulnerability Details:

  • Name: Qi Addons For Elementor <= 1.7.0
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-3309
  • CVSS Score: 6.4
  • Publicly Published: April 26, 2024
  • Researcher: Webbernaut
  • Description: The Qi Addons For Elementor plugin for WordPress contains a vulnerability in versions up to and including 1.7.0 that permits stored cross-site scripting (XSS). This issue occurs through the Countdown Widget's attributes, where insufficient input sanitization and output escaping allow authenticated users with contributor-level access or higher to inject arbitrary web scripts. These scripts can execute on the client side whenever a user accesses a page containing the compromised widget.


The Qi Addons For Elementor plugin for WordPress has a vulnerability in versions up to and including 1.7.0 that enables authenticated contributors to perform stored XSS attacks via the Countdown widget. This vulnerability has been patched in the recently released version 1.7.1.

Detailed Overview:

Stored XSS vulnerabilities like the one found in the Qi Addons For Elementor plugin allow attackers to embed malicious scripts into web pages that persist on the server. When other users access these compromised pages, the malicious scripts execute, potentially leading to unauthorized access, data theft, or other malicious outcomes. The vulnerability in the Countdown widget highlights the critical need for rigorous input validation and output encoding in software development to prevent such security issues.

Advice for Users:

  • Immediate Action: Users are encouraged to update to version 1.7.1 immediately to address this security issue.
  • Check for Signs of Vulnerability: Admins should review their site pages for unexpected or unfamiliar JavaScript or HTML, which might indicate that this XSS vulnerability has been exploited.
  • Alternate Plugins: While the current version is secure, users may consider alternative Elementor addons plugins as a precautionary measure until they have verified the effectiveness of the patch.
  • Stay Updated: Always ensure that your plugins are updated to the latest versions to prevent vulnerabilities from being exploited.


The prompt update provided by Qode Interactive for the Qi Addons For Elementor plugin underscores the critical importance of timely software updates in mitigating security risks. It is crucial for users to install updates as soon as they are available to protect their sites from potential threats. This incident serves as a reminder of the ongoing vigilance required to maintain secure WordPress installations.


Detailed Report: 

In the dynamic realm of digital content management, maintaining the security of your website is not merely an operational task; it is a critical responsibility that demands constant vigilance. The discovery of a significant vulnerability in the Qi Addons For Elementor plugin, popular among WordPress users, brings to light the ever-present risks inherent in third-party plugins. With the CVE identifier CVE-2024-3309, this vulnerability underscores the necessity for web administrators to keep their sites meticulously updated to ward off potential cyber threats.

Vulnerability Details

Identified as a stored cross-site scripting (XSS) vulnerability within the Countdown widget of the Qi Addons For Elementor, CVE-2024-3309 allowed authenticated users, specifically those with contributor-level access, to inject harmful scripts. These scripts could be executed unsuspectingly by any user visiting the affected pages, leading to potential data theft, session hijacking, or worse.

Impact and Risks

The capability of malicious actors to execute scripts on a client's browser without direct interaction makes stored XSS particularly dangerous. For a plugin like Qi Addons For Elementor, which boasts over 200,000 active installations, the implications are extensive, affecting countless users and businesses that could suffer compromised data integrity and privacy breaches.

Remediation Steps

To address this vulnerability, the developers have released version 1.7.1 of the plugin, which eliminates the vulnerability through enhanced sanitization and security checks. Users should:

  • Update the plugin immediately to version 1.7.1.
  • Conduct a thorough review of site pages and any custom scripts for signs of tampering.
  • Educate users with access permissions on the importance of cautious script handling and secure login practices.

Overview of Previous Vulnerabilities

Prior to CVE-2024-3309, Qi Addons For Elementor encountered three documented vulnerabilities since November 9, 2023. This trend indicates a pattern that necessitates regular updates and security checks to mitigate emerging threats effectively.


The prompt response by Qode Interactive to address the vulnerability in Qi Addons For Elementor highlights the critical role of timely updates in maintaining a secure online environment. For small business owners, this incident serves as a potent reminder of the necessity of regular, proactive security measures. Automating updates where possible, employing robust security plugins, and conducting regular audits are essential steps to safeguard against vulnerabilities. Keeping your website secure is not just about protecting data; it’s about preserving trust and ensuring the continuity of your online operations.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Qi Addons For Elementor Vulnerability – Authenticated Stored Cross-Site Scripting via Countdown Widget – CVE-2024-3309 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment