Avada Theme Version 5.1.5 Patches Stored XSS and CSRF Vulnerabilities

Theme Fusion’s Avada WordPress Theme, the highest selling theme on Themeforest for the past four years, has fixed stored XSS and CSRF vulnerabilities in its 5.1.5 release. The security issues were discovered by WP Hütte, a WordPress security blog, and the site published details of the vulnerabilities after Theme Fusion patched its theme.

Although the patched version has been available since early April, a notification was only recently sent out to Avada customers from Envato via email, urging them to update. Avada announced the release of 5.1.5 but did not publish anything publicly on the security issues that it fixes. Customers started learning about the vulnerabilities from the WPScan Vulnerability Database, WP Hütte, and posts on Twitter.

Theme Fusion left the security issues buried in the changelog until today when customers began receiving email notices about it. A fix was available for more than a month while customers who were unaware and had not updated were left vulnerable. Envato’s email encourages all users to update, as the release is for all previous versions of Avada.

If you have purchased Avada for clients or for yourself, you can update to the latest version by downloading it from your Envato Market account and reinstalling it. Customers with the Envato Market WordPress plugin installed can access automatic updates within the WordPress admin.


23 responses to “Avada Theme Version 5.1.5 Patches Stored XSS and CSRF Vulnerabilities”

  1. You don’t need the Envato plugin to update Avada. Just generate an API key and paste it in the registration box, click on check updates and update the theme just as you would update WP.org themes.

  2. Hello Everyone,
    We have two comments in reply to this post. One will fully explain what and why we did what we did and that it was responsible, regardless of the post implying we were not.
    However this comment will focus on the person/site who reported this issue. We were contacted by them telling us they found 2 security issues, had a post ready to go live and showed us the post content. They asked for bounty money and wanted to know when we could fix them.
    We replied back thanking them for bringing the issues to our attention, we always are grateful for such a thing. We also told them our dev team was already checking into both reported issues … in less than 24 hours patches were made.
    However, this is the part that makes all the difference. The content of their post was extremely alarming. They were publishing the exact details on how to take advantage of the exploits. They ignored our request to remove those portions and said the details would be published regardless. We continued to try and discuss with them and explain that publishing details such as that is extremely wrong, unless it was published a year or more in the future. They did not comply and wanted bounty money, or credit to make a name for themselves and build a business.
    They then even asked us if we wanted the details removed, we said yes of course. We also told them it was already fixed and was being tested and would be released soon. However, they never told us when the post would go live, nor told us the details were being removed.
    In addition to all this, the creator of that site had a script running that automatically creates their email as an admin user for the sites it’s run on. You can view this in their comments. While the script appears to be changed, even having such a thing should give anyone caution. We had no clue who we were dealing with, but clearly this was wrong.
    Knowing all this; they were going to publish the details on how to use the vulnerabilities, had a script that took advantage of it, and the fact that we do not have all our customer emails (only Envato does, they do not give them to us), why would we ever publish a public post about this before Envato was able to notify all of our customers? All that would do is open the door for people finding this post and taking advantage of it.
    The bottom line for this comment is that we’d like to ask why WPTavern / Sarah would post the link to the post that fully explains how to take advantage of the exploit?
    We at ThemeFusion explicitly decline the unethical practice of publishing instructions that show hackers how to use a vulnerability and which violate the WordPress standard of security issue reports: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/. We are also sad to see, that some bloggers don’t refrain from publishing badly researched articles just for the sake of publicity. We strongly disagree with posting it and highly recommend to remove it.
    This is for a WP theme, and an exploit through a WP hook. Details on how to exploit it, especially so soon, should not be published.
    We were told you would change it out with one of our own, so we ask you to change it out with the one we already emailed you here: https://theme-fusion.com/knowledgebase/security-fixes-added-5-1-5/
    Lastly, we do find it interesting that nobody from WPTavern contacted us to ask us about this issue in any way shape or form. Instead of doing thorough research and contacting us, assumptions were made and even worse, links put up to take advantage of the vulnerability. We find that shocking at best.
    We hope this changes in the future, that is not community in the slightest form.

  3. Hello Again,

    This post implies we were negligent in notifying customers and the connotations made assume the worse. We disagree.

    First, like WordPress, we understand that security is not an absolute, it’s a continuous process and should be managed as such. While we try to be proactive in preventing security problems, we do not assume they’ll never come up.

    It boils down to this. We were notified by a person of the security issue within Avada, via email. They asked for a bounty reward and showed us a post of what would be published. This post was wrong as it had exact details on how to use the vulnerability along with a script that made the person who reported it an admin user. For more information on that, see our first comment above.

    Our development team immediately took action to check and verify the issue at hand. Once accurately identified, our team fixed it with a patch in less than 24 hours, and the full Avada 5.1.5 update was sent out in 4 days. Confirmation of the patch release date can be found here under 5.1.4: goo.gl/NGU83S … and confirmation of the changelog release that lists out the security fixes can be found here: goo.gl/40T2gp

    There are several important factors to know:

    1. We (ThemeFusion) do not have all customer emails. In fact, we have less than 1/5th. Envato keeps them and does not give them to the authors who sell items.

    2. Due to the above, we have no way of contacting all of our customers at once. In addition, we had concerns over the post of the reporter which explains how to use the exploit, and not knowing when they were sending it out, we had to reply on Envato to do so.

    3. Each time we send in an update, it lists out the changelog in detail. Both security issues were listed and their fixes approved by the Envato review team and the new version posted on the marketplace.

    4. We did a similar thing to what WP did back in February and elected to put off disclosing the vulnerability to make sure that our users who use automatic updates on their sites – were protected before going public.

    We allowed customers to see auto updates for both the theme and the patcher tool and get as many updated as possible. The patcher tool description and changelog were descriptive in making users aware that security issues were fixed. Nor is this information buried as we described above, in fact they use the standard WordPress method of letting you know updates or patches are available and ready to apply. The changelog link is directly on the updates page in WP admin, the themes page as well, and the patcher tool describes each one in it’s location in WP admin. In addition, all of this is online at our support center.

    5. This all being very recent, and in agreement with Envato about the security related customer notification, we expected the actual communiqué to be sent out to each person that has purchased Avada, which it has been. However we implicitly asked Envato to allow us to review the content of the email before it was sent. We wanted to review the content of the eBlast so that we can ensure our customers are being given the correct information and to include additional helpful information about the update or users who were updating from much older versions. Lastly, we asked to know exactly when it was sent out so we could time ours as well. Unfortunately Envato did not get in touch with us in time.

    6. The day Envato did send out the eBlast to every customer, we received it as any customer would and then also posted the information on our site: https://theme-fusion.com/knowledgebase/security-fixes-added-5-1-5/

    The blog post of WPTavern claims that our customers only learned about it through Envato’s mail, WPScan Vulnerability Database or the reporter himself. We find that bizarre for several reasons.

    First of all, we did inform our users about the available update that included the security fix through the several ways that we could: changelog, patcher tool, a user through our private Facebook group. WPTavern arbritarily says, “we buried the information in our changelog” … first, it is not buried as we explained above. Second the changelog is the exact place to put the information, especially when you are unable to make it known to all customers since we do not have their emails and taking into consideration everything else explained.

    Even before we released 5.1.5, the security patch fix was done in 24 hours or less through our live patcher tool. Like it is in WordPress, it can be easily seen, that a patch/update is available. Both were labeled starting with “Security fix”, containing the kind of security issue “(ex: XSS)”.

    Why did we wait some time before a publicly available disclosure was done from our side (which can be found here: https://theme-fusion.com/knowledgebase/security-fixes-added-5-1-5/)?

    To protect our customers. How can this course of action protect customers? Well, we do know from website traffic checks, that our user base does update to new versions very fast. So making the update available, and using the more private information channels listed above (auto patch notifications, auto theme updates), we made sure that the majority of our users was already protected before the general public (which of course includes potential hackers) was made aware of the security issue.

    This is not an uncommon approach, but also something WordPress does (see https://threatpost.com/wordpress-silently-fixed-privilege-escalation-vulnerability-in-4-72-update/123533/, http://www.securityweek.com/wordpress-delayed-disclosure-critical-vulnerability or https://www.imperva.com/blog/2017/03/early-vulnerability-disclosure-thwarts-wordpress-hackers/ as examples).

    Our customers know we are not negligent in any way, they know we do everything possible for them and this involves any and all security issues. We campaign tirelessly for all of our customers, to maintain their installs and ensure that the theme is always updated or a patch applied.

    The issue itself has been resolved over a month ago, a patch created in 24 hours or less once we were notified and our user base was informed about it (automatically) through our changelog, our live patcher tool and a post in our private Facebook group. That is as much as we can do since we do not have all customer emails and rely on our partner (Envato) to also help out for which they sent the full eBlast to all customers.

    Implying we are hiding something strongly assumes the wrong thing. We will keep doing what we always have done and build strong relationships with our customers through trust and communication.


  4. The Avada issue has been patched for more than a month. When you announced it to your customers on Twitter you did not mention that there are important security fixes in the release. The fact that it took Envato a month to get an email out to them is something customers should consider. A post was added to your wiki on 5/18 (more than a month after the release) but there has still been no public announcement on your blog or Twitter or a channel that the public would follow. When WordPress delayed disclosure on a critical vulnerability it was for only 1 week. After that time had passed, they publicly disclosed it on the blog. Furthermore, they credited Sucuri and linked to their post with the technical details of how the vulnerability might be exploited. Once it’s patched and publicly disclosed, it’s on users to update.

    • No we did not make it public until Envato did because not every customer could be aware of it, we made that clear in our reply.

      As you well know, we do not control Envato. In addition, we disagree with ever disclosing how to take advantage of a vulnerability, how can that be good for anyone?

      There are customers who do not update, may not know about, or simply prefer not to. We would not put them at risk by publishing exact details on how to do it and our customers thank us for that.

      We’ve said what we needed to say and yes it has been made public. By Envato and through our public support channels and a blog post is coming but it contains more information that just the security fixes. It explains the why and what, unlike this post that assumes.

      Clearly we’ll agree to disagree.

    • While it’s already been made public, both by our vendor (Envato) by eBlasting out to every customer that bought Avada, since they are the only ones who have the emails, as well as our own knowledgebase post, there should really be no reason to make it even more. Every person that bought Avada knows.

      Nevertheless, we promised a blog post was on it’s way and here it is: https://theme-fusion.com/security-fixes-added-5-1-5/

      Sarah, you said … “Send me the link to your post and I will link to that instead. :)”

      The link is above, we hope you replace the reporters post with ours as you said you would.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: