Themes Vulnerabilities

Avada < 7.4.2 - Reflected Cross-Site Scripting

Description

The theme does not properly escape bbPress searches before outputting them back as breadcrumbs, leading to a Reflected Cross-Site Scripting issue.

Proof of Concept

Affects Themes

Avada
Fixed in 7.4.2

References

URL
https://theme-fusion.com/documentation/avada/installation-maintenance/avada-changelog/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Verified
Yes
WPVDB ID
eb172b07-56ab-41ce-92a1-be38bab567cb

Timeline

Publicly Published
2021-09-13 (about 4 years ago)
Added
2021-09-13 (about 4 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2025-05-07
Title
User Login History < 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-10-21
Title
This-or-That by André Boekhorst <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-06-22
Title
Pricing Table by Supsystic < 1.9.5 - Reflected Cross-Site Scripting
Published
2025-01-08
Title
Linear < 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-16
Title
ReadMe Creator <= 1.0 - Reflected Cross-Site Scripting