CVE-2024-12477 in Avada Builder Plugininfo

Summary

by MITRE • 01/23/2025

The Avada Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.11.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/09/2025

The vulnerability identified as CVE-2024-12477 affects the Avada Builder plugin for WordPress, a widely used page builder solution that enables users to create complex web layouts through intuitive drag-and-drop interfaces. This particular flaw represents a critical security weakness that has existed across all versions of the plugin up to and including version 3.11.11, making it a persistent threat to WordPress installations that rely on this popular tool. The vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's shortcode implementation, creating a pathway for malicious actors to execute persistent code injections that can affect multiple users simultaneously.

The technical nature of this vulnerability classifies it as a stored cross-site scripting flaw, which operates through the manipulation of user-supplied attributes within the plugin's shortcode functionality. When authenticated users with contributor-level privileges or higher access the affected plugin, they can inject malicious scripts through shortcode parameters that are then stored within the WordPress database. These stored scripts execute whenever any user accesses pages containing the compromised shortcodes, creating a persistent threat vector that can affect not only the immediate victim but potentially all users who encounter the malicious content. This vulnerability directly maps to CWE-79, which specifically addresses Cross-Site Scripting flaws in software applications, and represents a prime example of how insufficient sanitization can create lasting security risks in content management systems.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a means to escalate their privileges and potentially compromise entire WordPress installations. Contributors and higher-level users typically have significant access to content creation and modification capabilities, making them ideal targets for attackers seeking to establish persistent access. Once an attacker successfully injects malicious code through the shortcode system, they can potentially redirect users to malicious sites, steal session cookies, or execute additional attacks such as privilege escalation or data exfiltration. This vulnerability aligns with ATT&CK technique T1546.001, which covers the use of registry run keys and startup folder for persistence, as the stored scripts can maintain their presence across user sessions and system reboots.

Organizations and WordPress administrators should prioritize immediate remediation of this vulnerability by updating to the latest version of the Avada Builder plugin where the issue has been addressed through proper input sanitization and output escaping mechanisms. The recommended mitigation strategy involves not only applying the vendor-provided patch but also implementing additional security measures such as role-based access controls, monitoring for unusual shortcode usage patterns, and conducting regular security audits of plugin installations. Security teams should also consider implementing content security policies and regular vulnerability scanning to identify similar issues in other plugins or themes that may be susceptible to the same class of vulnerability. The presence of this flaw underscores the critical importance of proper input validation and output escaping in web applications, particularly in content management systems where user-generated content processing is a core function.

Reservation

12/11/2024

Disclosure

01/23/2025

Moderation

accepted

CPE

ready

EPSS

0.00216

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!