Avada < 6.2.3 - Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS



Description
NinTechNet disclosed multiple security vulnerabilities affecting the premium Avada WordPress theme on their blog after responsibly disclosing the security vulnerabilities to Avada.

These vulnerabilities included:

- Content Injection & Stored XSS
- Arbitrary Post Deletion
- Arbitrary Post Creation

These vulnerabilities were reportedly fixed in Avada version 6.2.3, released on April 24th 2020.

Affects Theme

fixed in version 6.2.3

References

URL https://blog.nintechnet.com/avada-wordpress-theme-fixed-multiple-vulnerabilities/
URL https://theme-fusion.com/security-fix-added-in-6-2-3/

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher Jerome Bruandet (nintechnet.com)
Views 2793
Verified No
WPVDB ID 10209

Timeline

Publicly Published 2020-05-01 (25 days ago)
Added 2020-05-01 (24 days ago)
Last Updated 2020-05-05 (20 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin