We have released Avada 7.11.7, fixing a few minor security issues that can only be exploited by authenticated Contributor+ level users. This is disclosed in our Changelog and our Important Update Info help file.

These issues were raised during the WordFence Bug Bounty Extravaganza. The vastly increased bug bounties paid during this campaign have led to an increase in security researchers trying to earn their share. This, in turn, has surfaced security issues across many players in the WordPress ecosystem.

  • SECURITY: Fixed Contributor+-level-only XSS vulnerability, allowing site Contributors to add custom script code certain element link options
  • SECURITY: Fixed Contributor+-level-only SSRF vulnerability, allowing Contributors to set Avada Form submission type to unsafe web requests
  • SECURITY: Fixed Admin+-level-only SQL injection vulnerability, where SQL code could be injected into an Avada Forms submissions entry removal request
  • SECURITY: Fixed possibility of Avada Forms upload folder being directly accessible

Like WordPress and any entity that develops software, we understand that security is not absolute and is a continuous process managed as such. We do our best to prevent security issues as proactively as possible, as we do not assume they’ll never come up. Our responsibility is to quickly take care of them and work to get our customers notified and prepared. This is why we recommend keeping your website and plugins up-to-date and maintained at all times.

What Should I Do Next?

We cannot stress enough the importance of ensuring that your website is kept up to date and maintained at all times. Please update to ensure that your installation is issue-free and the fix detailed above is applied. These are our detailed update instructions:

We would like to extend our gratitude and thanks to Wordfence.

Subscribe To Our Newsletter

Receive all of the latest news and updates fresh from ThemeFusion!

Leave a comment