Security Fixes Added in 5.1.5

Security Fixes Added in 5.1.5

21/05/2018

In Avada 5.1.5, we fixed two security issues which were in Avada versions 5.1.4 and below. This can be found in our Changelog as:

- FIXED: Security fix to prevent additional calls to permalink structure (XSS)

What Does This Mean For Me?

    • Q: How would you know if a site has been compromised? A: Generally speaking, this could be manifested as a new admin user that wasn't created by you or another legitimate admin from your site. You may also notice admin level activity that wasn't from you. (e.g. Like a new page or post being created.)
    • Q: Why did this happen? A: Essentially this happened because AJAX calls to admin related functions are allowed in WordPress, even outside of the admin area. This can be fixed by disabling these functions for AJAX calls, which is what we did in the fix for the theme.
    • Q: If someone hacks my site, what damage can they do? A: Since an admin user can be created, unfortunately almost anything could be done to a successfully hacked site. Which is why updating is highly recommended.

    Update The Theme

    It's always recommended to stay on the latest version of Avada and WordPress so you have the latest in security best practice and so you're not behind on any security fixes.

      • Get the fix: To get these security fixes, just update the theme to the latest version of Avada. We recommend users check our post on How To Update The Theme before updating.
      • Updating from an older version? If you're updating from an Avada version older than Avada 5.0, we recommend following the steps outlined in Updating Avada from Older Versions

      Manually fixing the issue

      IMPORTANT NOTE: We strongly recommend updating your system to fix the issues and also in general to keep your install always up to date. Only that way you have access to the latest features and also bugfixes, and can keep your system up to date with WordPress and also third party plugins. While the below instructions will fix the issue, the process of applying the steps is at your own risk.

      If you are not able to update your install for some reason though, you can find important information below that will help you to manually fix the issue on older installs.

      Needed fix in Avada

      This instruction is valid for Avada 3.9.2 or greater. Open Avada/includes/class-avada-admin.php and find this line:

      Copy to Clipboard

      Directly below it, paste

      Copy to Clipboard

      Needed fix in Fusion Builder

      This instruction can be used for all versions of Fusion Builder. Open fusion-builder/fusion-builder.php and find these lines:

      Copy to Clipboard

      Directly below them, paste

      Copy to Clipboard

      Open fusion-builder/inc/importer/importer.php and find this line:

      Copy to Clipboard

      Directly below it, paste

      Copy to Clipboard

      Open fusion-builder/inc/importer/js/fusion-builer-importer.js and find this line:

      Copy to Clipboard

      Directly below it, paste

      Copy to Clipboard

      Recent Posts

      Recent Tweets

      For privacy reasons Twitter needs your permission to be loaded. For more details, please see our Privacy Policy.
      I Accept