Themes Vulnerabilities

Avada < 7.11.2 - Subscriber+ Portfolio Permalinks Creation

Description

The theme is vulnerable to unauthorized modification of data due to a missing capability check, allowing any authenticated attackers, with such as subscriber and above, to save Portfolio permalinks.

Affects Themes

Avada
Fixed in 7.11.2
avada
Fixed in 7.11.2

References

CVE
CVE-2023-39307
URL
https://patchstack.com/database/vulnerability/avada/wordpress-avada-theme-7-11-1-authenticated-broken-access-control-vulnerability

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
81108b5a-d3e0-43f4-b2c6-9a2613e46052

Timeline

Publicly Published
2024-01-29 (about 2 years ago)
Added
2024-01-30 (about 2 years ago)
Last Updated
2024-01-30 (about 2 years ago)

Other

Published
Title
Published
2025-08-15
Title
OceanWP < 4.1.2 - Subscriber+ Limited Option Update
Published
2022-11-14
Title
Transposh WordPress Translation <= 1.0.8 - Settings Update via Authorization Bypass
Published
2022-11-21
Title
WP Memory < 2.46 - Subscriber+ Arbitrary Plugin Installation
Published
2022-03-21
Title
Salon booking system < 7.6.3 - Customer+ Bookings/Customers Data Disclosure
Published
2025-03-19
Title
File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read