Urgent Security Alert: Avada WordPress Theme Vulnerability (CVE-2024-1468)
A high-severity security vulnerability (CVE-2024-1468, CVSS score 8.8) has been discovered in the popular Avada WordPress theme with nearly 950,000 sales. This vulnerability allows authenticated attackers with contributor-level permissions or higher to upload arbitrary files and potentially execute malicious code on affected websites.
The bug was reported by Muhammad Zeeshan (Xib3rR4dAr), a cybersecurity researcher who navigated through the complex web of code to uncover a flaw that allows an attacker “with contributor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.“. For his responsible reporting through the Wordfence Bug Bounty Program, Zeeshan was awarded a bounty of $2,751.00.
The root cause of CVE-2024-1468 is Avada’s ajax_import_options() function, a piece of the puzzle that lacked the crucial layer of file type validation in versions up to and including 7.11.4. This opened the floodgates for authenticated attackers, armed with nothing more than contributor-level access, to upload files of any kind onto the server, paving the way for potential remote code execution.
The vulnerability’s exploitation hinges on the theme’s page options import functionality, which, due to its insecure implementation, allows for the upload of arbitrary files. A deep dive into the theme’s code revealed that the Avada_Page_Options class’s ajax_import_options() function was designed to import options in JSON format without restricting file extensions. Consequently, attackers could upload files with a .php extension to the WordPress uploads folder, which is publicly accessible, and execute arbitrary malicious PHP code on the server.
While the file is deleted immediately, attackers have a brief window to exploit it by flooding the server with large uploads and racing to trigger execution. The researcher replicated a successful exploit, demonstrating its ease of use.
Promptly after the discovery, Zeeshan reached out to ThemeFusion, Avada’s developer, on February 6, 2024. With full disclosure of the vulnerability’s details, ThemeFusion acted swiftly, issuing a patch (version 7.1.15) on February 12, 2024, to seal this critical breach.