For the release of Avada 5.7.2 we have fixed a XXS security issue pertaining to Avada versions 5.7.1 and below. The fix is for the bootstrap JS libraries that are used in Avada and is listed in our Changelog and also disclosed in our Important Update Info doc.
We recommend to keep your theme up to date and maintained at all times. It’s best to use auto updates and to also keep an eye on the Fusion Patcher tool as we typically issue fixes and improvements within a short space of time without the need for a full theme update.
Like WordPress and any entity that develops software, we understand that security is not an absolute, it’s a continuous process and should be managed as such. We do our best to be as proactive as possible in preventing security issues and we do not assume they’ll never come up. Our job is to quickly take care of them and work to get our customers notified and prepared.
The description of the security issue identified and fixed is listed below:
- FIXED: Security fix to prevent possible XSS attacks in bootstrap JS libraries
Our development team was alerted to and thereby took action to check and verify the bootstrap vulnerability. Once accurately verified, our team took steps to apply the fix to Avada 5.7.2, which has been released. Confirmation of the changelog release that lists out the security fix, can be found here: Avada Changelog
What Should I Do Next?
We cannot stress enough the importance in making sure that your install is updated and maintained at all times. To ensure that your theme installation is issue free and the fix detailed above is applied, please update. These are our detailed update instructions:
Something else that is important is to also ensure any patches that our team releases between update cycles are applied as part of ongoing maintenance for your install and always clear your cache plugins post update.
Patches are applied at the click of a button as explained in our Avada Patcher doc post.
Thank you to Morten Dalgaard for his dedication and communication which benefits both Avada and the wider community as a whole.