We have released Avada 7.6.2, a security update that addresses a SSRF vulnerability in Avada Forms disclosed in our Changelog and our Important Update Info help file.
Like WordPress and any entity that develops software, we understand that security is not absolute, and it’s a continuous process that is managed as such. We do our best to prevent security issues as proactively as possible as we do not assume they’ll never come up. Our responsibility is to quickly take care of them and work to get our customers notified and prepared. And, this is why we recommend keeping your website and plugins up to date and maintained at all times.
The description of the security issue identified and fixed is listed below:
- Fixed: SSRF (server-side request forgery) vulnerability in the Avada Forms fusionAction parameter.
Thanks to Calum Elrick (Rootshell Security), who brought the issues to our attention!
What Should I Do Next?
We cannot stress enough the importance of ensuring that your website is kept up to date and maintained at all times. Please update to ensure that your installation is issue-free and the fixes detailed above are applied. These are our detailed update instructions:
Thanks for the post. Does this apply if the Avada Forms module is switched off? We use an alternative forms solution for some of our sites.
Hi. No, it only applies if you have a form being used on the front-end.