A number of vulnerabilities have been recognized within the broadly used Avada theme and its accompanying Avada Builder plugin.
These safety flaws, uncovered by Patchstack’s safety researcher Rafie Muhammad, expose a major variety of WordPress web sites to potential breaches.
Inside these vulnerabilities, the Avada Builder plugin displays two weaknesses. The primary is an Authenticated SQL Injection (CVE-2023-39309). Exploiting this vulnerability, attackers possessing authenticated entry might breach delicate information and doubtlessly execute distant code.
The second is a Mirrored Cross-Web site Scripting (XSS) vulnerability (CVE-2023-39306), enabling unauthenticated attackers to pilfer delicate info and doubtlessly heighten their privileges on impacted WordPress websites.
Learn extra on WordPress-related vulnerabilities: WooCommerce Bug Exploited in Focused WordPress Assaults
Patchstack additionally found varied vulnerabilities within the Avada theme. First amongst them is a Contributor+ Arbitrary File Add vulnerability (CVE-2023-39307). On this state of affairs, Contributors achieve the power to add arbitrary information, which can embody detrimental PHP information, thereby enabling distant code execution and compromising website integrity.
Equally consequential is the revelation of a counterpart Creator+ flaw (CVE-2023-39312). Right here, Authors attain the aptitude to add malevolent zip information, thereby introducing the potential for distant code execution and vulnerabilities throughout the website.
Concluding this sequence of vulnerabilities is the Contributor+ Server-Aspect Request Forgery (SSRF) vulnerability (CVE-2023-39313). By means of this loophole, Contributors can instigate requests to inner providers on the WordPress server, thereby doubtlessly initiating unauthorized actions or information entry throughout the organizational framework.
The vulnerabilities had been reported to the Avada vendor on July 6 2023, resulting in the discharge of patched variations on July 11 2023. Patchstack included the vulnerabilities of their vulnerability database, and the safety advisory was made public on August 10 2023.
To deal with these vulnerabilities, customers are urged to replace the Avada Builder plugin to model 3.11.2 and the Avada theme to model 7.11.2. Making certain immediate updates is essential to preserve web site safety.
Editorial picture credit score: BigTunaOnline / Shutterstock.com