CVE-2024-4887

HIGH Year: 2024
CVSS v3 Score
7.5
High
Weakness Type
CWE-706
View all →

Vulnerability Description

The Qi Addons For Elementor plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include remote files on the server, resulting in code execution. Please note that this requires an attacker to create a non-existent directory or target an instance where file_exists won't return false with a non-existent directory in the path, in order to successfully exploit.

Related Vulnerabilities

CVE-2018-12020

HIGH
CVSS:7.5(High)

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to...

CWE-7062018

CVE-2019-1351

HIGH
CVSS:7.5(High)

A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'.

CWE-7062019

CVE-2020-35894

HIGH
CVSS:7.5(High)

An issue was discovered in the obstack crate before 0.1.4 for Rust. Unaligned references can occur.

CWE-7062020

CVE-2021-27306

HIGH
CVSS:7.5(High)

An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT.

CWE-7062021

CVE-2021-40856

HIGH
CVSS:7.5(High)

Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring.

CWE-7062021

CVE-2023-42451

HIGH
CVSS:7.5(High)

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain ...

CWE-7062023