For the release of Avada 6.2.3 we have fixed a XSS security issue pertaining to Avada versions 6.2.2 and below. The fix is to prevent XSS attacks from a user with a registered contributor role, which would allow them to edit, delete or create posts that don’t belong to their user role and is disclosed in our Changelog and also disclosed in our Important Update Info doc.
We recommend to keep your theme up to date and maintained at all times. It’s best to use auto updates and to also keep an eye on the Fusion Patcher tool as we typically issue fixes and improvements within a short space of time without the need for a full theme update.
Like WordPress and any entity that develops software, we understand that security is not an absolute, it’s a continuous process and should be managed as such. We do our best to be as proactive as possible in preventing security issues and we do not assume they’ll never come up. Our job is to quickly take care of them and work to get our customers notified and prepared.
The description of the security issue identified and fixed is listed below:
- FIXED: Possible XSS attacks from users with contributor role, which would allow them to edit, delete or create posts that don’t belong to user role.
Thanks to Jerome from NinTechNet, who brought the issue to our attention!
What Should I Do Next?
We cannot stress enough the importance in making sure that your install is updated and maintained at all times. To ensure that your theme installation is issue free and the fix detailed above is applied, please update. These are our detailed update instructions:
Something else that is important is to also ensure any patches that our team releases between update cycles are applied as part of ongoing maintenance for your install and always clear your cache plugins post update.
Patches are applied at the click of a button as explained in our Avada Patcher doc post.