Avada < 6.2.3 – Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS | CVE 2020-36711

Description

NinTechNet disclosed multiple security vulnerabilities affecting the premium Avada WordPress theme on their blog after responsibly disclosing the security vulnerabilities to Avada.

These vulnerabilities included:

- Content Injection & Stored XSS
- Arbitrary Post Deletion
- Arbitrary Post Creation

These vulnerabilities were reportedly fixed in Avada version 6.2.3, released on April 24th 2020.

Affects Themes

Avada

Fixed in 6.2.3

References

CVE

CVE-2020-36711

URL

https://blog.nintechnet.com/avada-wordpress-theme-fixed-multiple-vulnerabilities/

URL

https://theme-fusion.com/security-fix-added-in-6-2-3/

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-269

CVSS

8.5 (high)

Miscellaneous

Original Researcher

Jerome Bruandet (nintechnet.com)

Verified

WPVDB ID

ed51f0b3-1e8a-438b-9236-779a9b1cdb9f

Timeline

Publicly Published

2020-05-01 (about 6 years ago)

Added

2020-05-01 (about 6 years ago)

Last Updated

2023-06-08 (about 2 years ago)

Other

Published

Title

Published

2024-03-13

Title

Malware Scanner < 4.7.3 and Web Application Firewall < 2.1.2 - Unauthenticated Privilege Escalation

Published

2025-07-08

Title

Sala <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover

Published

2026-02-10

Title

Miraculous Elementor < 2.0.8 - Authenticated (Subscriber+) Privilege Escalation

Published

2025-04-23

Title

Buddypress Force Password Change <= 0.1 - Subscriber+ Account Takeover via Password Update

Published

2025-10-02

Title

Spirit Framework < 1.2.15 - Account Takeover and Privilege Escalation