WordPress Avada theme <= 3.15.3 - PHP Object Injection vulnerability

Vulnerability

The Avada WordPress theme versions up to and including 3.15.3 are vulnerable to PHP Object Injection. This occurs when user-supplied input is passed to an unserialize() function without proper sanitization, allowing a contributor-level user to inject arbitrary PHP objects. The vulnerability is present in the theme's code handling of certain data. [1]

Exploitation

An attacker must have a contributor-level account on the WordPress site. The attacker can craft a malicious serialized payload and submit it via a vulnerable parameter. No additional privileges or user interaction beyond the contributor role are required. The exploit does not require any special network position beyond being able to access the WordPress admin area. [1]

Impact

Successful exploitation can lead to arbitrary code execution if a suitable POP (Property Oriented Programming) chain exists in the WordPress environment. This can result in full site compromise, including SQL injection, path traversal, denial of service, and other attacks. The CVSS score is 8.8 (High). [1]

Mitigation

The vulnerability is fixed in version 3.15.4. Users should update immediately. If unable to update, Patchstack provides a mitigation rule to block attacks until the update is applied. No other workarounds are mentioned. The vulnerability is expected to be exploited in mass campaigns. [1]