Stored Cross-Site Scripting Vulnerability in Avada Builder Plugin for WordPress
CVE-2024-12477
5.4MEDIUM
What is CVE-2024-12477?
The Avada Builder plugin for WordPress, present in versions up to and including 3.11.11, suffers from a Stored Cross-Site Scripting vulnerability. This issue arises from inadequate input sanitization and output escaping of user-supplied attributes in the plugin's shortcodes. Consequently, authenticated users with contributor-level access or higher can exploit this vulnerability by injecting arbitrary web scripts into pages. These scripts execute every time a user visits the compromised page, potentially leading to data theft and site manipulation.
Affected Version(s)
Avada (Fusion) Builder * <= 3.11.11