Themes Vulnerabilities

Avada Theme <= 5.1.4 - Stored Cross-Site Scripting (XSS) & CSRF

Description

The Avada WordPress theme was affected by a Stored Cross-Site Scripting (XSS) & CSRF security vulnerability.

Proof of Concept

http://cdn.wphutte.com/Avada/5.1.4/xss.html
http://cdn.wphutte.com/Avada/5.1.4/csrf.html

Affects Themes

Avada
Fixed in 5.1.5

References

CVE
CVE-2017-18607
CVE
CVE-2017-18606
URL
https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
URL
http://wphutte.com/avada-5-1-4-stored-xss-and-csrf/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Submitter
WpHutte
Submitter website
http://wphutte.com/
Submitter twitter
wphutte
Verified
No
WPVDB ID
acad98b6-510e-47df-a264-b1412330ebec

Timeline

Publicly Published
2017-04-26 (about 7 years ago)
Added
2017-05-02 (about 7 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2016-06-09
Title
CM Ad Changer <= 1.7.7 - Stored Cross-Site Scripting (XSS)
Published
2014-05-28
Title
Oleggo Livestream <= 0.2.6 - XSS
Published
2022-07-18
Title
Name Directory < 1.25.5 - Stored Cross-Site Scripting via CSRF
Published
2024-03-25
Title
Top Bar < 3.0.5 - Admin+ Stored XSS
Published
2024-02-05
Title
Apollo13 Framework Extensions < 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting