Themes Vulnerabilities

Avada Theme <= 5.1.4 - Stored Cross-Site Scripting (XSS) & CSRF

Description

The Avada WordPress theme was affected by a Stored Cross-Site Scripting (XSS) & CSRF security vulnerability.

Proof of Concept

Affects Themes

Avada
Fixed in 5.1.5

References

CVE
CVE-2017-18607
CVE
CVE-2017-18606
URL
https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
URL
http://wphutte.com/avada-5-1-4-stored-xss-and-csrf/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Submitter
WpHutte
Submitter website
http://wphutte.com/
Submitter twitter
wphutte
Verified
No
WPVDB ID
acad98b6-510e-47df-a264-b1412330ebec

Timeline

Publicly Published
2017-04-26 (about 8 years ago)
Added
2017-05-02 (about 8 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-09-25
Title
Modal Window < 5.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-05-03
Title
PropertyHive < 2.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-02-28
Title
System Dashboard < 2.8.10 - XSS via Header Injection
Published
2025-03-24
Title
Omnify <= 2.0.3 - Reflected Cross-Site Scripting
Published
2025-03-25
Title
Smart Maintenance Mode < 1.5.3 - Reflected Cross-Site Scripting via setstatus Parameter