CVE-2024-54357: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ThemeFusion's Avada WordPress theme, affecting versions up to and including 7.11.10. The vulnerability was reported on October 2, 2024, by Ananda Dhakal and was publicly disclosed on December 11, 2024. The issue has been assigned CVE-2024-54357 and has received a CVSS score of 4.3 (Medium) (Patchstack).

The vulnerability stems from missing or incorrect nonce validation on a function within the Avada theme. This security flaw has been classified as CWE-352 (Cross-Site Request Forgery) and falls under the OWASP Top 10 category A4: Insecure Design. The vulnerability received a CVSS v3.1 base score of 4.3 with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (WPScan, Patchstack).

The vulnerability allows unauthenticated attackers to perform unauthorized actions by tricking site administrators into performing specific actions, such as clicking on malicious links. The impact is considered low to medium severity, as it requires user interaction and can only achieve limited impact (Patchstack).

The vulnerability has been fixed in Avada version 7.11.11. Users are advised to update to this version or later to remove the vulnerability. Given the low severity impact and unlikely exploitation potential, the update is considered a low priority patch (Patchstack).