Multiple Flaws Found in the Avada WordPress Theme and Plugin

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Multiple vulnerabilities have been identified in the widely used Avada theme and its accompanying Avada Builder plugin. 

These security flaws, uncovered by Patchstack’s security researcher Rafie Muhammad, expose a significant number of WordPress websites to potential breaches.

Within these vulnerabilities, the Avada Builder plugin exhibits two weaknesses. The first is an Authenticated SQL Injection (CVE-2023-39309). Exploiting this vulnerability, attackers possessing authenticated access could breach sensitive data and potentially execute remote code.

The second is a Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2023-39306), enabling unauthenticated attackers to pilfer sensitive information and potentially heighten their privileges on impacted WordPress sites.

Read more on WordPress-related vulnerabilities: WooCommerce Bug Exploited in Targeted WordPress Attacks

Patchstack also discovered various vulnerabilities in the Avada theme. First among them is a Contributor+ Arbitrary File Upload vulnerability (CVE-2023-39307). In this scenario, Contributors gain the ability to upload arbitrary files, which may encompass detrimental PHP files, thereby enabling remote code execution and compromising site integrity.

Similarly consequential is the revelation of a counterpart Author+ flaw (CVE-2023-39312). Here, Authors attain the capability to upload malevolent zip files, thereby introducing the potential for remote code execution and vulnerabilities within the site.

Concluding this series of vulnerabilities is the Contributor+ Server-Side Request Forgery (SSRF) vulnerability (CVE-2023-39313). Through this loophole, Contributors can instigate requests to internal services on the WordPress server, thereby potentially initiating unauthorized actions or data access within the organizational framework.

The vulnerabilities were reported to the Avada vendor on July 6 2023, leading to the release of patched versions on July 11 2023. Patchstack included the vulnerabilities in their vulnerability database, and the security advisory was made public on August 10 2023.

To address these vulnerabilities, users are urged to update the Avada Builder plugin to version 3.11.2 and the Avada theme to version 7.11.2. Ensuring prompt updates is crucial to maintain website security.

Editorial image credit: BigTunaOnline / Shutterstock.com

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

State-Sponsored Espionage Campaign Exploits Cisco Vulnerabilities
Adding insult to injury: crypto recovery scams
Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks
Android Flaw Affected Apps With 4 Billion Installs
Popular Android Apps Like Xiaomi, WPS Office Vulnerable to File Overwrite Flaw

Leave a Reply

Your email address will not be published. Required fields are marked *