Security researchers have discovered a critical vulnerability in the widely used Avada | Website Builder for WordPress & WooCommerce theme. The flaw, present in all versions up to 7.11.4, stems from a lack of file type validation in the ajax_import_options() function. This oversight opens the door for authenticated attackers, possessing contributor-level access and higher, to carry out arbitrary file uploads on the compromised site’s server. The potential consequences are severe, as it could pave the way for remote code execution, posing a substantial threat to website security.
Given the severity of this WordPress theme vulnerability, administrators are strongly advised to take immediate action. The absence of proper file type validation means that attackers can exploit this weakness to upload malicious files, gaining unauthorized access to the server. To mitigate the risk of exploitation, it is crucial for website owners to update their Avada theme to the latest version promptly. Failure to do so may leave the site vulnerable to unauthorized file uploads and the subsequent potential for remote code execution.
The National Vulnerability Database (NVD) is yet to provide a specific score for this vulnerability. However, Wordfence, the organization reporting the issue, has rated it as high, with a CVSS 3.1 score of 8.8. This underscores the urgency of addressing the security loophole. Website administrators are strongly urged to stay informed about such vulnerabilities and promptly apply updates to ensure the robustness of their WordPress-based sites.
