Share

We have released Avada 7.15.2, delivering an array of exciting new features, improvements, and fixing five security issues:

  • SECURITY: Fixed vulnerability of unauthenticated SQL injection via the product_order parameter in the Post Cards Element
  • SECURITY: Fixed Subscriber+ users being able to set up a stored XSS through the fallback option in dynamic data.
  • SECURITY: Fixed Subscriber+ users being able to access arbitrary file contents through the custom SVG option in the Section Separator Element.
  • SECURITY: Enforced that non-admin users cannot store the Code Block Element in their user meta.
  • SECURITY: Enforced that protected (underscore-prefixed) post meta fields and WordPress actions cannot be used in dynamic data by non-admin users.

This is disclosed in our Changelog and our Important Update Info help file.

Like WordPress and any entity that develops software, we understand that security is not absolute and is a continuous process managed as such. We do our best to prevent security issues as proactively as possible, as we do not assume they’ll never come up. Our responsibility is to quickly take care of them and work to get our customers notified and prepared. This is why we recommend keeping your website and plugins up-to-date and maintained at all times.

What Should I Do Next?

We cannot stress enough the importance of ensuring that your website is kept up to date and maintained at all times. Please update to ensure that your installation is issue-free and the fix detailed above is applied. These are our detailed update instructions:

We would like to extend our gratitude and thanks to Wordfence.

Subscribe To Our Newsletter

Receive all of the latest news and updates fresh from ThemeFusion!

Related Articles

Leave a comment