CVE-2024-2344: 
WordPress vulnerability analysis and mitigation

The Avada theme for WordPress contains a SQL Injection vulnerability (CVE-2024-2344) discovered in versions up to and including 7.11.6. The vulnerability exists in the 'entry' parameter due to insufficient escaping of user-supplied input and inadequate SQL query preparation (NVD).

The vulnerability allows authenticated attackers with editor-level access or higher to append additional SQL queries to existing queries. This is possible due to improper input validation in the form entry deletion endpoint of the Fusion-Builder plugin that comes bundled with Avada. The vulnerability specifically affects the 'entry' parameter in the fusionremoveform_entry action (GitHub Exploit).

When exploited, this vulnerability enables authenticated attackers to extract sensitive information from the database. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH), indicating significant potential impact on the confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been patched in version 7.11.7 of the Avada theme. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (Avada Changelog).