Share
We have released Avada 7.11.6, fixing Avada Forms database submissions entries being viewable at contributor user role level by default. This is disclosed in our Changelog and our Important Update Info help file.
To provide better context, it is not a security issue per se. The situation rather depends on your setup and personal preference. Below, we’ll list all the factors that need to be combined for this to happen.
First, you need to use Avada Forms. And if you do, you have to explicitly choose to set form submissions to the database. Furthermore, you need to use a form that collects data you don’t want your authenticated users with the user role “Contributor” to view. You also need to allow contributor user roles on your site. Finally, in the Avada Role Manager (WP Dashboard > Avada > Options > Builder Options), you must not uncheck the Form Submissions privilege for Contributors.
In our update, we make sure that Contributors will only be able to see the data of forms that they have created themselves. You will still have the ability to turn access off completely using the Avada Role Manager.
Like WordPress and any entity that develops software, we understand that security is not absolute, and it’s a continuous process that is managed as such. We do our best to prevent security issues as proactively as possible as we do not assume they’ll never come up. Our responsibility is to quickly take care of them and work to get our customers notified and prepared. And, this is why we recommend keeping your website and plugins up to date and maintained at all times.
What Should I Do Next?
We cannot stress enough the importance of ensuring that your website is kept up to date and maintained at all times. Please update to ensure that your installation is issue-free and the fix detailed above is applied. These are our detailed update instructions:
We would like to extend our gratitude and thanks to Wordfence.
