Avada Builder plugin version numbering issue

Resolved Mariette
(@mariettej)

1 year, 6 months ago

Hello

I have just installed your plugin for the first time and am seeing this warning:

Avada Builder has a known vulnerability that may be affecting this version.– < 7.11.6

The problem is that the latest version of Avada Builder plugin is 3.11.11 and the Avada theme is 7.11.11. For info, the Builder plugin is linked to the Avada theme and updates at the same time as the theme, but the numbering is different.

So I think the vulnerability in the plugin was probably fixed in version 3.11.6.

Can you advise what I should do now?

thanks
Mariette

Viewing 7 replies - 1 through 7 (of 7 total)

Plugin Author Javier Casares
(@javiercasares)

1 year, 6 months ago

Can you send the CVE or some other information related so I can find exactly the error?

Thread Starter Mariette
(@mariettej)

1 year, 6 months ago

Hi

This info is from the WPVulnerability email:

Plugin: Avada BuilderFusion Builder [fusion-builder] < 7.11.6
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Global score: 6.5 / 10
Severity: Medium

[+] CVE-2024-1668
[+] Avada <= 7.11.5 – Authenticated(Contributor+) Sensitive Information Exposure via Form Entries
[+] WordPress Avada Theme <= 7.11.5 is vulnerable to Sensitive Data Exposure

However, the [+] links above all relate to the Avada theme (which is now at version 7.11.11).

The Avada Builder plugin (which is now at version 3.11.11) was introduced in version 5x of Avada. As Avada has now moved to 7x, the builder is on 3x.

So, the warning is wrong – it has confused the numbering of the theme with the numbering of the plugin and so thinks the plugin is out of date when in fact it is on the latest version.

Does that make sense?

thanks

Plugin Author Javier Casares
(@javiercasares)

1 year, 6 months ago

Fixed! It can take some hours to refresh the cache, but it should be fixed then.

Thank you for improving the information!

Thread Starter Mariette
(@mariettej)

1 year, 6 months ago

Thank you Javier, I appreciate you looking into it.

One thing, it may be a cache thing, but I am still seeing 2 of the above 3 notices on the plugin page, both relating to the theme, not the plugin:

Avada Builder has a known vulnerability that may be affecting this version.– < 7.11.6

[+] Avada <= 7.11.5 – Authenticated(Contributor+) Sensitive Information Exposure via Form Entries
[+] WordPress Avada Theme <= 7.11.5 is vulnerable to Sensitive Data Exposure

Is this likely to clear soon do you think?

best wishes, Mariette

Thread Starter Mariette
(@mariettej)

1 year, 6 months ago

Hello Javier

Just to say that the above warning message is still visible so I don’t think it is just a cache thing. It seems that the wrong info (confusing the plugin with the theme version numbers) is still present at these 2 links:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/fusion-builder/avada-7115-authenticatedcontributor-sensitive-information-exposure-via-form-entries

https://patchstack.com/database/wordpress/theme/avada/vulnerability/wordpress-avada-plugin-7-11-5-authenticated-contributor-sensitive-information-exposure-via-form-entries-vulnerability

Is there anytghing that can be done about this as I am reluctant to install this plugin on my clients’ sites until this message has gone away…

many thanks

Mariette

Plugin Author Javier Casares
(@javiercasares)

1 year, 6 months ago

Fixed. Will be updated in around 1 hour.

Thread Starter Mariette
(@mariettej)

1 year, 6 months ago

Fantastic! All good now 🙂

Thank you so much Javier

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Avada Builder plugin version numbering issue’ is closed to new replies.