The article discusses the discovery of an Arbitrary File Upload vulnerability in the Avada WordPress theme during a Bug Bounty Extravaganza event. The vulnerability, which affects versions up to and including 7.11.4 of the theme, allows authenticated attackers with contributor-level permissions and above to upload arbitrary files onto the server and potentially achieve remote code execution. The discovery was made by researcher Muhammad Zeeshan (Xib3rR4dAr) who responsibly reported the issue through the Wordfence Bug Bounty Program and received a bounty of $2,751.00.
Wordfence, a web application firewall and security plugin for WordPress, ensures that all its Premium, Care, and Response customers are protected against exploits targeting this vulnerability through its built-in Malicious File Upload protection. The developer of the Avada theme, ThemeFusion, promptly released a patch on February 12, 2024, in response to the disclosure.
The technical analysis of the vulnerability reveals that the issue lies in the insecure implementation of the theme’s page options import functionality, allowing for arbitrary file uploads. The ajax_import_options() function in the Avada theme is vulnerable due to missing file type validation, enabling attackers to upload malicious PHP code and potentially execute it on the server. The timeline of the disclosure process, from the initial submission on February 6, 2024, to the confirmation and validation of the report on February 13, 2024, is provided.
Wordfence emphasizes the importance of updating sites to the latest patched version of Avada (7.11.5 at the time of writing) to mitigate the risk posed by the vulnerability. The article highlights the collaboration between researchers and security vendors in identifying and addressing such vulnerabilities to enhance the overall security of the web ecosystem. It advises WordPress users to stay vigilant and ensure that their themes and plugins are up-to-date to protect their sites from potential threats.
Read Full Article