What is the Avada theme for WordPress?

The Avada theme for WordPress is a product by ThemeFusion and one of ThemeForest's top-selling themes, with nearly 950,000 sales. It is known for its flexibility, offering users a wide range of customization options without needing to write code.

What was the vulnerability found in the Avada theme?

A high-severity Arbitrary File Upload Vulnerability, tracked as CVE-2023-39307 (CVSS score 8.8), was found in all Avada versions up to and including 7.11.4. This vulnerability stems from the lack of file type validation within the `ajax_import_options()` function, allowing authenticated users with contributor-level access or higher the ability to upload arbitrary files to the server.

What are the potential risks associated with CVE-2023-39307?

The vulnerability could lead to remote code execution or overloading the server with massive files, posing a significant risk to website security and functionality.

What actions should Avada theme users take?

ThemeFusion released a patched version of the theme, version 7.11.5, on February 12th, 2024. All users of the Avada theme are advised to update to this latest version as soon as possible to mitigate the vulnerability.

Advisory

Avada WordPress theme fixes arbitrary file upload flaw

published: Feb. 29, 2024

Take action: If you are using Avada WordPress theme, update it to the latest version, or disable file uploads.

Learn More

The Avada theme for WordPress, a product by ThemeFusion and one of ThemeForest's top-selling themes with nearly 950,000 sales, has fixed a high-severity Arbitrary File Upload Vulnerability.

The vulnerability, tracked as CVE-2023-39307 (CVSS score 8.8) is present in all Avada versions up to and including 7.11.4. It stems from the lack of file type validation within the `ajax_import_options()` function, allowing authenticated users with contributor-level access or higher the ability to upload arbitrary files to the server. This vulnerability could lead to remote code execution or overloading the server with massive files.

ThemeFusion released a patched version of the theme, version 7.11.5, on February 12th 2024. All plugin users are advised to patch ASAP.

Avada WordPress theme fixes arbitrary file upload flaw

Read More
WordPress releases version 6.4.2, advising update because of …
SQL Injection Vulnerability Reported in Quiz and Survey …
Critical security vulnerability in Premium WordPress Motors theme …
Active exploitation of critically vulnerable WordPress Motors theme
SessionReaper flaw in Adobe Magento actively exploited