Themes Vulnerabilities

Avada < 7.11.11 - Missing Authorization

Description

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 7.11.10. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Themes

Avada
Fixed in 7.11.11

References

CVE
CVE-2025-24748
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f7b25126-9db4-488a-aa47-2f903b0b9fdf

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Ananda Dhakal
Verified
No
WPVDB ID
5c3cbcfe-7167-49ed-83f0-afc15efb66cd

Timeline

Publicly Published
2025-01-24 (about 1 year ago)
Added
2025-01-28 (about 1 year ago)
Last Updated
2025-01-28 (about 1 year ago)

Other

Published
Title
Published
2023-02-28
Title
WP Shamsi <= 4.3.3 - Subscriber+ Attachment Deletion
Published
2025-11-30
Title
Payment Gateway for PayPal on WooCommerce < 9.0.54 - Missing Authorization
Published
2025-12-02
Title
WPS Bidouille < 1.33.2 - Missing Authorization
Published
2022-06-30
Title
Accordions < 2.0.3 - Unauthenticated Arbitrary Options Update
Published
2023-01-10
Title
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Plugin Deactivation