ThemeFusion’s multipurpose WordPress theme Avada has patched an Arbitrary File Upload Vulnerability. Avada is one of ThemeForest’s most popular premium themes with nearly 950k sales.
This vulnerability was reported responsibly by Muhammad Zeeshan (Xib3rR4dAr) during Wordfence’s Bug Bounty Extravaganza earning him $2,751. The researchers have categorized it as a “high severity” concern, with a CVSS score of 8.8, and strongly recommend updating the theme.
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.
-Wordfence
The nature of the vulnerability allows attackers to upload arbitrary malicious PHP code and remotely execute code on the server. Even if the uploaded file is removed, attackers can still upload multiple large files as there is no restriction on the file extensions.
Muhammad Zeeshan contacted the ThemeFusion team on February 6, and a patched version of the theme was released on February 12. We urge all Avada users to immediately update their websites to the latest version of the theme 7.11.5.
Its a very nice find, but not easy to call as attacker as can be read at the wordfence site. I agree it should have been better checked in code, however webhosters are also in charge of denying php calls to the uploads folder IMHO.