Avada is one of the best-selling multipurpose WordPress themes with over 700,000 sales. Statistically it powers around 4% of the WordPress sites.
Recently, we received a lot of infections on sites running outdated versions of Avada theme. Version 7.4.2 was released on September 10th, 2021 which patched the following vulnerabilities:
-
- SECURITY: Fixed XSS (Cross-Site Scripting) issue in breadcrumbs when using bbPress plugin and being on bbPress search page
- SECURITY: Fixed XSS (Cross-Site Scripting) issue in Avada Forms component allowing unescaped HTML form entries to be loaded on the backend
Source: Avada Changelog
Table of Contents
Vulnerability Details
Here are the classification details reported by WPScan on 13 September 2021:
Type: XSS
OWASP top 10: A7: Cross-Site Scripting (XSS)
CWE: CWE-79 (improper neutralization of user supplied input)
Description: The theme does not properly escape bbPress searches before outputting them back as breadcrumbs, leading to a Reflected Cross-Site Scripting issue.
And here are some of the instances of the malware detected while scanning the infected sites running Avada:
{HEX}Malware.Expert.php.allow.url.fopen.php.UNOFFICIAL
{HEX}Malware.Expert.php.post.password.urlencode.post.bot.user.agent.general.UNOFFICIAL
{HEX} Malware.Expert.str.replace.get.str.replace.get.UNOFFICIAL
If your website is running Avada WordPress theme < 7.4.2 upgrading to the latest version of the theme will NOT automatically fix your site. If the site is already infected, it will have to be cleaned up. With a theme upgrade all you do it put a lock on this entry / breach. But if the site has been breached already, the lock would do nothing.
Urgent Actionables
- Upgrade Avada WordPress theme to run the latest version of the theme; i.e., 7.4.2
- Run a complete website scan using Malcure WP Malware Scanner to eliminate the possibility of infection.
- In case the site is infected, you can engage our security team for professionally cleaning the infected site.