Numerous Defects Identified in the Avada WordPress Theme and Plugin

Numerous security vulnerabilities have been detected in the widely utilized Avada theme, along with its corresponding Avada Builder plugin. These security loopholes, brought to light by security researcher Rafie Muhammad from Patchstack, put a substantial number of WordPress websites at risk of potential breaches.

Within these vulnerabilities, the Avada Builder plugin reveals two weaknesses. The initial vulnerability is an Authenticated SQL Injection (CVE-2023-39309). Exploiting this vulnerability allows attackers with authenticated access to potentially breach sensitive data and execute remote code.

The second vulnerability involves a Reflected Cross-Site Scripting (XSS) flaw (CVE-2023-39306), enabling unauthorized attackers to abscond with sensitive information and potentially escalate their privileges on affected WordPress sites.

For more insights into WordPress-related vulnerabilities, refer to: WooCommerce Bug Exploited in Targeted WordPress Attacks

In addition, Patchstack unearthed various vulnerabilities within the Avada theme. Foremost among these is a Contributor+ Arbitrary File Upload vulnerability (CVE-2023-39307). In this scenario, Contributors gain the capability to upload arbitrary files, which could encompass harmful PHP files, potentially leading to remote code execution and compromise of site integrity.

Equally significant is the exposure of a parallel Author+ vulnerability (CVE-2023-39312). Here, Authors acquire the ability to upload malicious zip files, introducing the potential for remote code execution and vulnerabilities within the site.

Bringing this sequence of vulnerabilities to a close is the Contributor+ Server-Side Request Forgery (SSRF) vulnerability (CVE-2023-39313). Through this loophole, Contributors can initiate requests to internal services on the WordPress server, potentially triggering unauthorized actions or unauthorized data access within the organizational framework.

The vendor of Avada was notified of these vulnerabilities on July 6, 2023, leading to the release of patched versions on July 11, 2023. Patchstack has integrated these vulnerabilities into their vulnerability database, and the security advisory was publicly disclosed on August 10, 2023.

To mitigate these vulnerabilities, users are strongly advised to update the Avada Builder plugin to version 3.11.2 and the Avada theme to version 7.11.2. Swift updates are imperative to uphold the security of websites.