Multiple vulnerabilities have been identified in the widely used Avada theme and its accompanying Avada Builder plugin.

These security flaws, uncovered by Patchstack’s security researcher Rafie Muhammad, expose a significant number of WordPress websites to potential breaches.

Within these vulnerabilities, the Avada Builder plugin exhibits two weaknesses. The first is an Authenticated SQL Injection (CVE-2023-39309). Exploiting this vulnerability, attackers possessing authenticated access could breach sensitive data and potentially execute remote code.

The second is a Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2023-39306), enabling unauthenticated attackers to pilfer sensitive information and potentially heighten their privileges on impacted WordPress sites.

Read more on WordPress-related vulnerabilities: WooCommerce Bug Exploited in Targeted WordPress Attacks

Patchstack also discovered various vulnerabilities in the Avada theme. First among them is a Contributor+ Arbitrary File Upload vulnerability (CVE-2023-39307). In this scenario, Contributors gain the ability to upload arbitrary files, which may encompass detrimental PHP files, thereby enabling remote code execution and compromising site integrity.

Similarly consequential is the revelation of a counterpart Author+ flaw (CVE-2023-39312). Here, Authors attain the capability to upload malevolent zip files, thereby introducing the potential for remote code execution and vulnerabilities within the site.

Concluding this series of vulnerabilities is the Contributor+ Server-Side Request Forgery (SSRF) vulnerability (CVE-2023-39313). Through this loophole, Contributors can instigate requests to internal services on the WordPress server, thereby potentially initiating unauthorized actions or data access within the organizational framework.

The vulnerabilities were reported to the Avada vendor on July 6 2023, leading to the release of patched versions on July 11 2023. Patchstack included the vulnerabilities in their vulnerability database, and the security advisory was made public on August 10 2023.

To address these vulnerabilities, users are urged to update the Avada Builder plugin to version 3.11.2 and the Avada theme to version 7.11.2. Ensuring prompt updates is crucial to maintain website security.