HQ/EMEAFind out how we can help your business
The widely used Avada plugin has shown multiple vulnerabilities that could affect every WordPress website that employs its services. The new exposure could become detrimental to all WordPress websites since the security flaws could enable hackers to execute data breach campaigns.
Based on reports, the Avada Builder plugin displays a couple of deficiencies that could allow the attackers to exploit the newly discovered vulnerabilities. The first weakness is in the Authenticated SQL Injection tracked by researchers as CVE-2023-39309. This flaw could enable exploiters to acquire authenticated access to sensitive information and ultimately gain remote code capabilities.
The other flaw is the Reflected Cross-Site Scripting (XSS) bug tracked by researchers as CVE-2023-39306. The vulnerability could enable unauthenticated threat actors to harvest critical data and potentially escalate their privilege on compromised WordPress websites.
The newfound bugs within the Avada plugin could also affect its themes.
Further investigations show that various vulnerabilities within the Avada plugin could compromise its themes.
The first identified flaw is a Contributor+ Arbitrary File Upload bug tracked by researchers as CVE-2023-39307. In this case, the Contributors acquire the ability to upload arbitrary files, which could hold essential PHP files. Hence, threat actors could obtain RCE and compromise the site’s integrity.
The second bug could also relate to the first one since it is the opposite. The Author+ vulnerability or CVE-2023-39312 could allow attackers to upload malicious zip archives that could give hackers RCE and exploit vulnerabilities directly within the website.
These vulnerabilities could initiate requests for internal services on the WordPress server through the loopholes provided by the flaws. Hence, a cybercriminal campaign could start unauthorised sequences or commands and grant attackers data access within a compromised infrastructure.
These flaws came to light last month and have already reached the Avada developers. Fortunately, the admins have immediately developed a patch to address the issue. On the other hand, the researchers published the vulnerability earlier this month.
Cybersecurity experts urge WordPress website admins that employ Avada to update their plugin version to its latest versions. These updates will increase the safety of websites and mitigate the chances of exploitation from threat actors.
