$2,751 Bounty Awarded for Arbitrary File Upload Vulnerability Patched in Avada WordPress Theme

🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!

On February 6th, 2024, during our second Bug Bounty Extravaganza, we received a submission for an Arbitrary File Upload vulnerability in Avada, a WordPress theme with more than 945,000 sales, though we expect the software is running on over one million sites. This vulnerability can be leveraged by authenticated attackers with contributor-level permissions and above to upload arbitrary files onto the server and achieve remote code execution.

Props to Muhammad Zeeshan (Xib3rR4dAr) who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $2,751.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, so we are proud to continue investing in vulnerability research like this and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed in not only investing in making the WordPress ecosystem more secure, but also the entire web.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Malicious File Upload protection.

The researcher contacted ThemeFusion on February 6, 2024, the same day they reported the issue to us. After providing full disclosure details, the developer released a patch on February 12, 2024. We would like to commend ThemeFusion for their prompt response and timely patch. While we typically discourage researchers from handling responsible disclosure themselves as this can cause difficulty in verifying reports and patches, and because we’ve found that developers are more likely to be responsive to disclosures handled through our program, in this case it was handled quickly and thoroughly enough that it didn’t cause an issue.

We urge users to update their sites with the latest patched version of Avada, version 7.11.5 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Avada | Website Builder For WordPress & WooCommerce <= 7.11.4 – Authenticated (Contributor+) Arbitrary File Upload
Affected Theme: Avada | Website Builder For WordPress & WooCommerce
Theme Slug: Avada
Affected Versions: <= 7.11.4
CVE ID: CVE-2024-1468
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Muhammad Zeeshan (Xib3rR4dAr)
Fully Patched Version: 7.11.5
Bounty Award: $2,751.00

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

Technical Analysis

Avada is the most popular premium WordPress multipurpose template on the ThemeForest marketplace.

Unfortunately, insecure implementation of the theme’s page options import functionality allows for arbitrary file upload. Examining the code reveals that the theme uses the ajax_import_options() function in the Avada_Page_Options class to import the options in json format.

add_action( ‘wp_ajax_fusion_page_options_import’, [ $this, ‘ajax_import_options’ ] );

The ajax function contains a nonce check, which is accessible by authenticated users with at least contributor-level permissions.

public function ajax_import_options() {

check_ajax_referer( ‘fusion-page-options-nonce’, ‘fusion_po_nonce’ );
$response = [];

$post_id = 0;
if ( isset( $_POST[‘post_id’] ) ) {
$post_id = absint( $_POST[‘post_id’] );
}

if ( ! isset( $_FILES[‘po_file_upload’][‘name’] ) ) {
wp_die();
}

// Do NOT use wp_usnlash() here as it breaks imports on windows machines.
$json_file_path = wp_normalize_path( $this->po_dir_path . $_FILES[‘po_file_upload’][‘name’] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput

if ( ! file_exists( $this->po_dir_path ) ) {
wp_mkdir_p( $this->po_dir_path );
}

if ( ! isset( $_FILES[‘po_file_upload’] ) || ! isset( $_FILES[‘po_file_upload’][‘tmp_name’] ) ) {
wp_die();
}

// We’re already checking if defined above.
// Do NOT use wp_usnlash() here as it breaks imports on windows machines.
if ( ! $this->wp_filesystem->move( wp_normalize_path( $_FILES[‘po_file_upload’][‘tmp_name’] ), $json_file_path, true ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
wp_die();
}

$content_json = $this->wp_filesystem->get_contents( $json_file_path );

$custom_fields = json_decode( $content_json, true );
if ( $custom_fields ) {
$response[‘custom_fields’] = $custom_fields;
}

$this->wp_filesystem->delete( $json_file_path );

echo wp_json_encode( $response );
wp_die();
}

Although the function processes the content of the uploaded file with the json_decode() function, there is no restriction on the file extension. This means that not only .txt or .json extension files can be uploaded, but it is also possible to upload files with a .php extension. The file is uploaded to the WordPress uploads folder, which is publicly available. This makes it possible for attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.

It’s important to note that the file is immediately deleted from the server within the function, but the attacker can successfully exploit the vulnerability by continuously uploading multiple large files and attempting to access the files for execution, taking advantage of a race condition. The researcher was able to successfully demonstrate an exploit that could easily be replicated across environments with relatively consistent success.

Disclosure Timeline

February 6, 2024 – We receive the submission of the Arbitrary File Upload vulnerability in Avada via the Wordfence Bug Bounty Program. The researcher initiates responsible disclosure.
February 8, 2024 – We initiate triage of the report. However, have a difficult time replicating and ask the researcher for more details.
February 12, 2024 – A patched version of the theme is released.
February 13, 2024 – After the researcher sends over additional details, we confirm the proof of concept and validate the report.

Conclusion

In this blog post, we detailed an Arbitrary File Upload vulnerability within the Avada theme affecting versions 7.11.4 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to execute malicious code on the server. The vulnerability has been fully addressed in version 7.11.5 of the theme.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Avada.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this theme on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post $2,751 Bounty Awarded for Arbitrary File Upload Vulnerability Patched in Avada WordPress Theme appeared first on Wordfence.

Leave a Comment