CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18606 – Avada <= 5.1.4 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18606
26 Apr 2017 — The avada theme before 5.1.5 for WordPress has stored XSS. El tema avada versiones anteriores a 5.1.5 para WordPress, presenta una vulnerabilidad de tipo XSS almacenado. The Avada theme for WordPress is vulnerable to Stored Cross-Site Scripting via avada_portfolio_category_slug parameter saved by the save_permalink_settings() function called via 'admin_init' in versions up to 5.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with minimal pe... • https://wpvulndb.com/vulnerabilities/8801 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18607 – Avada <= 5.1.4 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2017-18607
26 Apr 2017 — The avada theme before 5.1.5 for WordPress has CSRF. El tema Avada versiones anteriores a 5.1.5 para WordPress, presenta una vulnerabilidad de tipo CSRF. The Avada theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.4. This is due to missing nonce validation on the fusion_builder_importer() function. This makes it possible for unauthenticated attackers to trigger the importer and upload arbitrary files via a forged request granted they can trick a site admin... • https://wpvulndb.com/vulnerabilities/8801 • CWE-352: Cross-Site Request Forgery (CSRF) •