CVE-2024-4887 is a Remote File Inclusion vulnerability classified under CWE-98, found in the Qi Addons For Elementor plugin for WordPress, specifically in all versions up to and including 1.7.2. The vulnerability arises from improper control of filenames used in include/require statements within the plugin's code, particularly via the 'behavior' attributes in the qi_addons_for_elementor_blog_list shortcode. Authenticated attackers with Contributor-level or higher privileges can exploit this flaw to include remote files on the server. This inclusion can lead to arbitrary code execution, compromising the server hosting the WordPress site. The exploitation requires the attacker to create a non-existent directory or leverage scenarios where the PHP function file_exists does not return false for non-existent directories in the path, adding complexity to the attack vector. The vulnerability has a CVSS v3.1 score of 7.5, indicating high severity, with attack vector network, attack complexity high, privileges required low, no user interaction, and impacts on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability poses a significant risk given the widespread use of the plugin and WordPress. The lack of an official patch at the time of reporting necessitates immediate mitigation efforts by administrators.

The impact of CVE-2024-4887 is substantial for organizations running WordPress sites with the vulnerable Qi Addons For Elementor plugin. Successful exploitation allows attackers to execute arbitrary code remotely, potentially leading to full server compromise. This can result in data breaches, defacement, malware deployment, or pivoting to internal networks. Since the vulnerability requires only Contributor-level access, attackers can leverage compromised or weak user accounts to escalate their privileges and execute attacks. The confidentiality, integrity, and availability of affected systems are all at risk. Organizations relying on WordPress for business-critical websites or e-commerce platforms face reputational damage, financial losses, and regulatory consequences if exploited. The complexity of exploitation reduces immediate risk but does not eliminate it, especially in environments where attackers can manipulate file system structures or exploit specific PHP behaviors.

To mitigate CVE-2024-4887, organizations should immediately restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of authenticated exploitation. Administrators should monitor shortcode usage, especially the qi_addons_for_elementor_blog_list shortcode with 'behavior' attributes, for suspicious or unexpected inputs. Implement web application firewalls (WAFs) with rules to detect and block attempts to include remote files or unusual shortcode parameters. Disable or limit PHP functions such as include, require, and file_exists where feasible, or use hardened PHP configurations to prevent remote file inclusion. Regularly audit user accounts and remove inactive or unnecessary Contributor-level users. Since no official patch is currently available, consider temporarily disabling the Qi Addons For Elementor plugin if possible or replacing it with alternative plugins without this vulnerability. Stay updated with vendor advisories for patches and apply them promptly once released. Employ intrusion detection systems to identify anomalous file inclusion or code execution attempts.