CVSS: 5.3EPSS: %CPEs: 1EXPL: 0CVE-2025-24748 – Avada <= 7.11.10 - Missing Authorization
https://notcve.org/view.php?id=CVE-2025-24748
24 Jan 2025 — The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 7.11.10. This makes it possible for unauthenticated attackers to perform an unauthorized action. • CWE-862: Missing Authorization •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54357 – WordPress Avada theme <= 7.11.10 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-54357
11 Dec 2024 — Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.10. The Avada theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.11.10. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/wordpress/theme/avada/vulnerability/wordpress-avada-theme-7-11-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 9%CPEs: 1EXPL: 0CVE-2024-1468 – Avada | Website Builder For WordPress & WooCommerce <= 7.11.4 - Authenticated (Contributor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-1468
28 Feb 2024 — The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. El Avada | El tema Website Builder para WordPress y WooCommerce para WordPress e... • https://avada.com/documentation/avada-changelog • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39307 – WordPress Avada theme <= 7.11.1 - Authenticated Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2023-39307
10 Aug 2023 — Unrestricted Upload of File with Dangerous Type vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en ThemeFusion Avada. Este problema afecta a Avada: desde n/a hasta 7.11.1. The Avada theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_import_options' function in versions up to, and including, 7.11.1. This makes it possible for authenticated at... • https://patchstack.com/database/vulnerability/avada/wordpress-avada-theme-7-11-1-authenticated-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39313 – WordPress Avada theme <= 7.11.1 - Authenticated Server Side Request Forgery (SSRF) vulnerability
https://notcve.org/view.php?id=CVE-2023-39313
10 Aug 2023 — Server-Side Request Forgery (SSRF) vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1. Vulnerabilidad de Server-Side Request Forgery (SSRF) en ThemeFusion Avada. Este problema afecta a Avada: desde n/a hasta 7.11.1. The Avada theme for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 7.11.1 via the 'ajax_import_options' function. This can allow authenticated attackers with contributor privileges to make web requests to arbitrary locat... • https://patchstack.com/database/vulnerability/avada/wordpress-avada-theme-7-11-1-authenticated-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39312 – WordPress Avada theme <= 7.11.1 - Auth. Unrestricted Zip Extraction vulnerability
https://notcve.org/view.php?id=CVE-2023-39312
10 Aug 2023 — Missing Authorization vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1. Vulnerabilidad de autorización faltante en ThemeFusion Avada. Este problema afecta a Avada: desde n/a hasta 7.11.1. The Avada theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation when extracting zip files in the 'process_upload' and 'regenerate_icon_files' functions in versions up to, and including, 7.11.1. This makes it possible for authenticated attackers w... • https://patchstack.com/database/vulnerability/avada/wordpress-avada-theme-7-11-1-authenticated-author-unrestricted-zip-extraction-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39922 – WordPress Avada theme <= 7.11.1 - Authenticated Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-39922
10 Aug 2023 — Missing Authorization vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1. Vulnerabilidad de autorización faltante en ThemeFusion Avada. Este problema afecta a Avada: desde n/a hasta 7.11.1. The Avada theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on an unknown function in versions up to, and including, 7.11.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to save Portfoli... • https://patchstack.com/database/vulnerability/avada/wordpress-avada-theme-7-11-1-authenticated-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •