It has recently come to light that several critical vulnerabilities were fixed in the Avada theme in April, although ThemeFusion, the developers of the theme didn’t widely announce the patched release until several weeks later. If you use the Avada WordPress theme on your site, you should upgrade to Avada 5.1.5 as soon as possible.
The Avada theme is among the most popular themes on ThemeForest, and its developers boast that it’s been the single most popular paid WordPress theme for four years in a row. That means tens of thousands of sites could be vulnerable until they update to the most recent version.
It’s unusual for a developer to release a fix for a known vulnerability and then to decline to publicize it. Although information about the patch was available in the release’s changelog, it’s unlikely that many of the theme’s users avidly read changelogs.
Typically, a developer wants as many people as possible to update as soon as possible when a security vulnerability is discovered, although they may choose not to disclose the exact details of the vulnerability. The average user may not scrutinze changelogs, but it’s a fair bet that hackers and criminals do, which means there’s little benefit to keeping quiet about the existence of a security problem.
But regardless of the wisdom of waiting, a full explanation of the vulnerabilities along with code examples is widely available now. The smart choice is to update all sites using the Avada theme before they’re targeted.
The details of the vulnerability can be read about on WordPress Hütte, but the nutshell version is that several cross-site scripting and cross-site request forgery vulnerabilities were discovered by a security researcher. Both are common critical vulnerabilities in web applications that can potentially be used by an attacker to take over a WordPress site or exfiltrate private data.
We’ve discussed cross-site scripting vulnerabilities on this blog before because they’re the number one security problem on the web. Cross-site scripting is caused by a failure to properly sanitize user input. The protoypical cross-site scripting attack occurs when an attacker submits code to a web form and that code is displayed somewhere on a web page without being rendered inert. When a browser loads the page, it executes the code, which is very bad news if the browser belongs to a user with admin privileges.
Cross-site request forgeries are a little more involved, but — as with XSS attacks — they can be used by an attacker to execute arbitrary code in the trusted context of a browser. Attackers often use CSRF vulnerabilities in conjunction with social engineering attacks or phishing attacks against existing trusted users to make sites perform an action, like create an admin user with a password the attacker knows.
In conclusion, upgrade Avada now, because it won’t be long before hackers start looking for sites they can exploit with these vulnerabilities.