Avada WordPress Theme < 7.4.2 — Reflected Cross-Site Scripting

Avada is one of the best-selling multipurpose WordPress themes with over 700,000 sales. Statistically it powers around 4% of the WordPress sites.

Recently, we received a lot of infections on sites running outdated versions of Avada theme. Version 7.4.2 was released on September 10th, 2021 which patched the following vulnerabilities:

    1. SECURITY: Fixed XSS (Cross-Site Scripting) issue in breadcrumbs when using bbPress plugin and being on bbPress search page
    2. SECURITY: Fixed XSS (Cross-Site Scripting) issue in Avada Forms component allowing unescaped HTML form entries to be loaded on the backend

Source: Avada Changelog

Here are the classification details reported by WPScan on 13 September 2021:

Type: XSS
OWASP top 10: A7: Cross-Site Scripting (XSS)
CWE: CWE-79 (improper neutralization of user supplied input)
Description: The theme does not properly escape bbPress searches before outputting them back as breadcrumbs, leading to a Reflected Cross-Site Scripting issue.

And here are some of the instances of the malware detected while scanning the infected sites running Avada:

{HEX}Malware.Expert.php.allow.url.fopen.php.UNOFFICIAL
{HEX}Malware.Expert.php.post.password.urlencode.post.bot.user.agent.general.UNOFFICIAL
{HEX} Malware.Expert.str.replace.get.str.replace.get.UNOFFICIAL

If your website is running Avada WordPress theme < 7.4.2 upgrading to the latest version of the theme will NOT automatically fix your site. If the site is already infected, it will have to be cleaned up. With a theme upgrade all you do it put a lock on this entry / breach. But if the site has been breached already, the lock would do nothing.

URGENT ACTIONABLES:

  1. Upgrade Avada WordPress theme to run the latest version of the theme; i.e., 7.4.2
  2. Run a complete website scan using Malcure WP Malware Scanner to eliminate the possibility of infection.
  3. In case the site is infected, you can engage our security team for professionally cleaning the infected site.