Security Fixes Added in 5.1.5

05/18/2017

In Avada 5.1.5, we fixed two security issues which were in Avada versions 5.1.4 and below. This can be found in our Changelog as:

– FIXED: Security fix to prevent additional calls to permalink structure (XSS)
– FIXED: Security fix that adds AJAX request verification for Fusion Builder content importer

What Does This Mean For Me?

  • Q: How would you know if a site has been compromised?
    A: Generally speaking, this could be manifested as a new admin user that wasn’t created by you or another legitimate admin from your site. You may also notice admin level activity that wasn’t from you. (e.g. Like a new page or post being created.)
  • Q: Why did this happen?
    A: Essentially this happened because AJAX calls to admin related functions are allowed in WordPress, even outside of the admin area. This can be fixed by disabling these functions for AJAX calls, which is what we did in the fix for the theme.
  • Q: If someone hacks my site, what damage can they do?
    A: Since an admin user can be created, unfortunately almost anything could be done to a successfully hacked site. Which is why updating is highly recommended.

Update The Theme

It’s always recommended to stay on the latest version of Avada and WordPress so you have the latest in security best practice and so you’re not behind on any security fixes.

  • Get the fix: To get these security fixes, just update the theme to the latest version of Avada. We recommend users check our post on How To Update The Theme before updating.
  • Updating from an older version? If you’re updating from an Avada version older than Avada 5.0, we recommend following the steps outlined in Updating Avada from Older Versions

Manually fixing the issue

IMPORTANT NOTE – We strongly recommend updating your system to fix the issues and also in general to keep your install always up to date. Only that way you have access to the latest features and also bugfixes, and can keep your system up to date with WordPress and also third party plugins. While the below instructions will fix the issue, the process of applying the steps is at your own risk.

If you are not able to update your install for some reason though, you can find important information below that will help you to manually fix the issue on older installs.

Needed fix in Avada

This instruction is valid for Avada 3.9.2 or greater.

Open Avada/includes/class-avada-admin.php and find this line:

Directly below it, paste

Needed fix in Fusion Builder

This instruction can be used for all versions of Fusion Builder.

Open fusion-builder/fusion-builder.php and find these lines:

Directly below them, paste

Open fusion-builder/inc/importer/importer.php and find this line:

Directly below it, paste

Open fusion-builder/inc/importer/js/fusion-builer-importer.js and find this line:

Directly below it, paste

10 Likes
Proudly Serving Over 370000 Satisfied Users!