Ctrl + K
/ news / CVE
CVEPublished 2024-06-07Modified 2026-04-080 articles on news5 live referencesNVD data

CVE-2024-4887Qodeinteractive · Qi_addons_for_elementor

Vulnerability data via NVD (ingested)

CVSS v3.1
7.5
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS percentile
63
Exploit Prediction Scoring System · top 37% of all CVEs
Weaknesses (CWE)
CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')CWE-706Use of Incorrectly-Resolved Name or Reference
Description

The Qi Addons For Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. Please note that this requires an attacker to create a non-existent directory or target an instance where file_exists won't return false with a non-existent directory in the path, in order to successfully exploit.

Timeline
Published 2024-06-07
Modified 2026-04-08

External references

NVDMITREExploit-DBSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2024-4887
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · WP plugin path
http.html:"/wp-content/plugins/qi-addons-for-elementor/"
Matches any site loading the "qi-addons-for-elementor" plugin — doesn't rely on Shodan's vuln tag.
Shodan · product
product:"Qodeinteractive Qi Addons For Elementor"
All exposed Qodeinteractive Qi Addons For Elementor instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Qi Addons For Elementor"
HTTP body or banner mentions "Qi Addons For Elementor" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2024-4887
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2024-4887
Censys host search filtered to this CVE id.
grep.app
CVE-2024-4887
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2024-4887
GitHub code search for direct mentions.
Google dork
"CVE-2024-4887" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (3)

CVE-2024-48873 repos
k0yt/Awesome-InfoSec-TG-channelsPython
For the most part, these are RUS tg channels and assembled manually in channels.txt. The list of subscribers is updated every 12 hours.
★ 42·updated 1y ago
svg153/awesome-starsunknown
★ 12·updated 1w ago
gh0stsh3ll56/Windows-Privilege-Escalation-Lateral-Movement-Decision-Treeunknown
Windows Privilege Escalation & Lateral Movement Decision Tree Overview.
★ 6·updated 3mo ago
We haven't classified any articles referencing CVE-2024-4887 yet. The external references above still apply.