Themes Vulnerabilities

Avada Theme <= 5.1.4 - Stored Cross-Site Scripting (XSS) & CSRF

Description

The Avada WordPress theme was affected by a Stored Cross-Site Scripting (XSS) & CSRF security vulnerability.

Proof of Concept

Affects Themes

Avada
Fixed in 5.1.5

References

CVE
CVE-2017-18607
CVE
CVE-2017-18606
URL
https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
URL
http://wphutte.com/avada-5-1-4-stored-xss-and-csrf/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Submitter
WpHutte
Submitter website
http://wphutte.com/
Submitter twitter
wphutte
Verified
No
WPVDB ID
acad98b6-510e-47df-a264-b1412330ebec

Timeline

Publicly Published
2017-04-26 (about 8 years ago)
Added
2017-05-02 (about 8 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-08-07
Title
Multimedia Playlist Slider Addon for WPBakery Page Builder < 2.2 - Reflected Cross-Site Scripting
Published
2025-04-28
Title
Qi Blocks < 1.4 - Contributor+ Stored XSS via ToC Block
Published
2024-09-16
Title
Gutenberg Blocks <= 1.2.8 - Contributor+ Stored XSS
Published
2024-06-28
Title
PixelYourSite – Your smart PIXEL (TAG) Manager < 9.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2015-04-16
Title
Citizen Space <= 1.1 - Reflected Cross-Site Scripting (XSS)