WordPress Avada premium theme <= 7.8.1 - Cross-Site Request Forgery (CSRF) vulnerability

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the ThemeFusion Avada premium theme for WordPress, versions 7.8.1 and earlier. The issue allows an attacker to perform unauthorized actions, such as installing or activating arbitrary plugins, by tricking an authenticated administrator into visiting a malicious page [1].

Exploitation

To exploit the vulnerability, an attacker must craft a malicious link or form that submits a request to the Avada theme's admin functionality. The victim must be logged in as an administrator and interact with the crafted request (e.g., by clicking a link). No other authentication or network position is required beyond the standard web access.

Impact

Successful exploitation enables the attacker to install or activate any WordPress plugin without authorization. This can lead to full site compromise, as the attacker could install malicious plugins that execute arbitrary code, steal data, or further escalate privileges.

Mitigation

The vulnerability is fixed in Avada version 7.8.2 and later. Users should update their theme to the latest version available. The changelog [1] provides details on the update. If upgrade is not possible, consider restricting access to WordPress admin pages or employing CSRF protection mechanisms.