Avada is one of the best-selling multipurpose WordPress themes with over 700,000 sales. Statistically it powers around 4% of the WordPress sites.
Recently, we received a lot of infections on sites running outdated versions of Avada theme. Version 7.4.2 was released on September 10th, 2021 which patched the following vulnerabilities:
- SECURITY: Fixed XSS (Cross-Site Scripting) issue in breadcrumbs when using bbPress plugin and being on bbPress search page
- SECURITY: Fixed XSS (Cross-Site Scripting) issue in Avada Forms component allowing unescaped HTML form entries to be loaded on the backend
Source: Avada Changelog
Here are the classification details reported by WPScan on 13 September 2021:
OWASP top 10: A7: Cross-Site Scripting (XSS)
CWE: CWE-79 (improper neutralization of user supplied input)
Description: The theme does not properly escape bbPress searches before outputting them back as breadcrumbs, leading to a Reflected Cross-Site Scripting issue.
And here are some of the instances of the malware detected while scanning the infected sites running Avada:
If your website is running Avada WordPress theme < 7.4.2 upgrading to the latest version of the theme will NOT automatically fix your site. If the site is already infected, it will have to be cleaned up. With a theme upgrade all you do it put a lock on this entry / breach. But if the site has been breached already, the lock would do nothing.