The popular Avada theme and related Avada Builder plugin have been found to contain a number of security flaws. Many WordPress websites are vulnerable to these security weaknesses, which were found by security researcher Rafie Muhammad of Patchstack.
The Avada Builder plugin reveals two weaknesses within these flaws. Authenticated SQL Injection (CVE-2023-39309) is the first. Attackers with authenticated access could breach sensitive data using this vulnerability and possibly run remote code.x000D The second is a Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2023-39306), which enables unauthenticated attackers to steal sensitive information and potentially escalate their privileges on affected WordPress sites.