The team released a small but important update fixing some security issues and minor fixes. It is unclear if the security issues are regressions or long-standing problems, and as such, you should update as soon as possible — have a backup available just in case.
- SECURITY: Fixed broken access control vulnerability (potentially letting authenticated users save Portfolio permalink) - SECURITY: Fixed possible arbitrary file upload and server-side request forgery vulnerability in Page Options import function (only valid for authenticated users) - SECURITY: Fixed arbitrary file upload vulnerability in custom icon font upload (valid only for authors or higher) - SECURITY: Fixed SQL injection and broken access control vulnerability in Critical CSS (valid only for authenticated users) - SECURITY: Fixed Cross Site Scripting (XSS) vulnerability in the User Register element - SECURITY: Fixed Cross Site Request Forgery (CSRF) in elements using access tokens to third-party platforms (only valid for admin users) - NEW: Added WooCommerce special page link options to dynamic data for text field options - COMPATIBILITY: Fixed variation product issue when WooCommerce Product Bundle plugin is used - FIXED: Backslash used as separator in Breadcrumbs Global Option breaking page CSS - FIXED: Avada Slider button option defaults not cleared out when saved empty - FIXED: Bottom left border-radius option not working in Alert element for custom styling - FIXED: Checkbox form element content being shown in notification emails when hidden through conditional form rendering logic - FIXED: Form being scrolled to bottom instead of top when clicking next step button on multi-step Avada Forms - FIXED: JS error happening in multi-step Avada Forms when no Submit Button element was added to the form - FIXED: Visibility options not working in Image element when used together with legacy Containers - FIXED: Image Carousel element not working inside Toggles and FAQ elements - FIXED: Layout set for the main event of The Events Calendar plugin not being applied to the series, if it is a recurring event
Originally published on July 11, 2023