---
title: "Avada WordPress Theme < 7.4.2 — Reflected Cross-Site Scripting"
date: 2021-09-29
author: "Rachael"
featured_image: "https://malcure.com/wp-content/uploads/2021/09/avada-wordpress-theme-742-reflected-cross-site-scripting-scaled.jpg"
categories:
  - name: "News"
    url: "/blog/news.md"
---

# Avada WordPress Theme < 7.4.2 — Reflected Cross-Site Scripting

![Avada Cross-Site Scripting issue](https://malcure.com/wp-content/uploads/2021/09/avada-wordpress-theme-742-reflected-cross-site-scripting-1024x683.jpg "Avada XSS Security Issue")Avada is one of the best-selling multipurpose WordPress themes with over 700,000 sales. Statistically it powers around 4% of the WordPress sites.

Recently, we received a lot of infections on sites running outdated versions of Avada theme. Version 7.4.2 was released on September 10th, 2021 which patched the following vulnerabilities:

1. 1. SECURITY: Fixed XSS (Cross-Site Scripting) issue in breadcrumbs when using bbPress plugin and being on bbPress search page
    2. SECURITY: Fixed XSS (Cross-Site Scripting) issue in Avada Forms component allowing unescaped HTML form entries to be loaded on the backend

**Source:** [Avada Changelog](https://theme-fusion.com/documentation-assets/avada/changelog.txt)

## Vulnerability Details

Here are the classification details reported by WPScan on 13 September 2021:

**Type:** XSS  
**OWASP top 10:** [A7: Cross-Site Scripting (XSS)](https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS).html)  
**CWE:** CWE-79 (improper neutralization of user supplied input)  
**Description:** The theme does not properly escape bbPress searches before outputting them back as breadcrumbs, leading to a Reflected Cross-Site Scripting issue.

And here are some of the instances of the malware detected while scanning the infected sites running Avada:

```
{HEX}Malware.Expert.php.allow.url.fopen.php.UNOFFICIAL
```

```
{HEX}Malware.Expert.php.post.password.urlencode.post.bot.user.agent.general.UNOFFICIAL
```

```
{HEX} Malware.Expert.str.replace.get.str.replace.get.UNOFFICIAL
```

If your website is running Avada WordPress theme &lt; 7.4.2 upgrading to the latest version of the theme **will NOT automatically fix your site**. If the site is already infected, it will have to be cleaned up. With a theme upgrade all you do it put a lock on this entry / breach. But if the site has been breached already, the lock would do nothing.

## Urgent Actionables

1. Upgrade Avada WordPress theme to run the latest version of the theme; i.e., 7.4.2
2. Run a complete website scan using [Malcure WP Malware Scanner](https://wordpress.org/plugins/wp-malware-removal/) to eliminate the possibility of infection.
3. In case the site is infected, you can engage our security team for [professionally cleaning the infected site](https://malcure.com/wordpress-malware-removal-service/).