Avada Theme and Plugin
Avada theme – the most popular theme in WordPress – is the top-selling theme in ThemeForest, selling over 900,000 copies. The theme is paired with an Avada Builder plugin, developed by ThemeFusion.
This theme calls itself “The Complete WordPress Website Building Toolkit,” and is geared for premium website builders. Without ever writing a single line of code, it can create everything from one-page business websites to an online marketplace.
Security Flaws
Among the many vulnerabilities exhibited in the Avada Builder plugin, the first is the Authentic SQL Injection(CVE-2023-39309). By exploiting this flaw, the threat actors may enable authentication access, followed by compromising sensitive data and may execute remote code.
The second vulnerability, named ‘Reflected Cross-Site Scripting (XSS)’ vulnerability (identified as CVE-2023-39306) enables unauthenticated attackers to steal sensitive data and perhaps elevate their privileges on affected WordPress sites.
Additionally, Patchstack found a number of flaws in the Avada theme. A Contributor+ Arbitrary File Upload vulnerability (CVE-2023-39307)
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: