The Rootshell team discovered a critical vulnerability within Avada, the number one best-selling theme on WordPress.

Rootshell Security Consultant, Calum Elrick, identified a Server-Side Request Forgery (SSRF) issue by manipulating a parameter in the theme’s prebuilt contact form builders.

SSRF is a vulnerability that allows threat actors to create requests from the vulnerable server and access private IP addresses on the server’s local network.

This enables threat actors to target internal systems behind firewalls that are normally inaccessible, as well as access services from the same server that is listening on the loopback interface.

In summary, Server-Side Request Forgery attacks make it possible to:

  • Scan and attack systems from the internal network that are not normally accessible
  • Enumerate and attack services that are running on these hosts
  • Exploit host-based authentication services

On discovery of the issue, the Rootshell team quickly took action, and responsibly disclosed the vulnerability to Theme Fusion, the creators of Avada.

Theme Fusion addressed the issue promptly, and a patch has now been added in versions 7.6.2 (security update) and 7.7.

More details, including proof-of-concept code, will be available on our blog soon.

This vulnerability affects Avada version 7.6.1 and below. We advise Avada users to update their version to the latest patch, available here.