Themes Vulnerabilities

Avada < 7.11.2 - Contributor+ SSRF

Description

The theme does not validate a parameter before making a request to it, which could allow users with a role as low as Contributor to perform SSRF attacks

Affects Themes

Avada
Fixed in 7.11.2
avada
Fixed in 7.11.2

References

CVE
CVE-2023-39313
URL
https://patchstack.com/database/vulnerability/avada/wordpress-avada-theme-7-11-1-authenticated-server-side-request-forgery-ssrf-vulnerability

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
8.5 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
c96207a7-d46a-447b-bace-d909cc7e204b

Timeline

Publicly Published
2024-01-29 (about 2 years ago)
Added
2024-01-30 (about 2 years ago)
Last Updated
2024-01-30 (about 2 years ago)

Other

Published
Title
Published
2026-01-12
Title
CP Image Store with Slideshow < 1.2.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import
Published
2023-05-23
Title
Go Pricing - WordPress Responsive Pricing Tables < 3.4 - Incorrect Authorization leading to Arbitrary File Upload
Published
2024-12-16
Title
Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall Bypass
Published
2022-02-23
Title
WooCommerce < 6.2.1 - Subscriber+ Arbitrary Comment Deletion
Published
2023-11-28
Title
SchedulePress < 5.0.5 - Contributor+ Arbitrary Post Update/Deletion