CVE-2024-1468: 
WordPress vulnerability analysis and mitigation

The Avada WordPress theme (CVE-2024-1468) contains a high-severity security vulnerability with a CVSS score of 8.8. The vulnerability affects all versions up to and including 7.11.4 of the Avada Website Builder For WordPress & WooCommerce theme, which has nearly 950,000 sales. The flaw was discovered and reported by Muhammad Zeeshan (Xib3rR4dAr) through the Wordfence Bug Bounty Program (Security Online, NVD).

The vulnerability stems from missing file type validation in the ajaximportoptions() function within the AvadaPageOptions class. This security flaw allows for arbitrary file uploads through the theme's page options import functionality. The implementation does not restrict file extensions, enabling uploads of files with .php extensions to the WordPress uploads folder, which is publicly accessible (NVD, Security Online).

The vulnerability enables authenticated attackers with contributor-level access or higher to upload arbitrary files to the affected site's server, potentially leading to remote code execution. While uploaded files are deleted immediately, attackers can exploit a brief window of opportunity by flooding the server with large uploads and racing to trigger execution (Security Online).

ThemeFusion, the developer of Avada, responded promptly to the vulnerability report received on February 6, 2024, and released a patch in version 7.11.5 on February 12, 2024. Users are strongly advised to update to this latest version to protect their websites (Security Online).

The security researcher, Muhammad Zeeshan, was awarded a bounty of $2,751.00 for responsibly reporting the vulnerability through the Wordfence Bug Bounty Program (Security Online).