← volver
CVE-2024-2343

Avada <= 7.11.6 - Authenticated (Contributor+) Server-Side Request Forgery via form_to_url_action

CVSS 6.4 MEDIUMEPSS 0.5%CWE-918
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.11.6 via the form_to_url_action function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Productos afectados
ThemeFusion · Avada | Website Builder For WordPress & WooCommerce

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://avada.com/documentation/avada-changelog/https://gist.github.com/Xib3rR4dAr/55d41870c7ce0e95f454d00100bc10dchttps://www.wordfence.com/threat-intel/vulnerabilities/id/87ca07ac-6080-45d7-a8f5-74a918adec43?source=cve