CVE-2024-1468

Name of the Vulnerable Software and Affected Versions Avada | Website Builder For WordPress & WooCommerce theme for WordPress versions up to, and including, 7.11.4

Description The issue is related to arbitrary file uploads due to missing file type validation in the ajax import options() function. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server, which may lead to remote code execution. The flaw is estimated to affect nearly 950,000 sales.

Recommendations For versions up to, and including, 7.11.4, update to a version above 7.11.4 to resolve the issue. As a temporary workaround, consider disabling the ajax import options() function until a patch is available. Restrict access to the affected site's server to minimize the risk of exploitation. Avoid using the vulnerable function until the issue is resolved.