Avada < 7.8.2 - Arbitrary Plugin Instalation/Activation via CRSF

The theme does not have CSRF check when installing and activating plugins, which could allow attackers to make logged admins install and activate arbitrary plugins via CSRF attacks