CVSS: 5.3EPSS: %CPEs: 1EXPL: 0CVE-2025-24748 – Avada <= 7.11.10 - Missing Authorization
https://notcve.org/view.php?id=CVE-2025-24748
24 Jan 2025 — The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 7.11.10. This makes it possible for unauthenticated attackers to perform an unauthorized action. • CWE-862: Missing Authorization •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54357 – WordPress Avada theme <= 7.11.10 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-54357
11 Dec 2024 — Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.10. The Avada theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.11.10. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/wordpress/theme/avada/vulnerability/wordpress-avada-theme-7-11-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 9%CPEs: 1EXPL: 0CVE-2024-1468 – Avada | Website Builder For WordPress & WooCommerce <= 7.11.4 - Authenticated (Contributor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-1468
28 Feb 2024 — The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. El Avada | El tema Website Builder para WordPress y WooCommerce para WordPress e... • https://avada.com/documentation/avada-changelog • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39922 – WordPress Avada theme <= 7.11.1 - Authenticated Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-39922
10 Aug 2023 — Missing Authorization vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1. Vulnerabilidad de autorización faltante en ThemeFusion Avada. Este problema afecta a Avada: desde n/a hasta 7.11.1. The Avada theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on an unknown function in versions up to, and including, 7.11.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to save Portfoli... • https://patchstack.com/database/vulnerability/avada/wordpress-avada-theme-7-11-1-authenticated-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39307 – WordPress Avada theme <= 7.11.1 - Authenticated Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2023-39307
10 Aug 2023 — Unrestricted Upload of File with Dangerous Type vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en ThemeFusion Avada. Este problema afecta a Avada: desde n/a hasta 7.11.1. The Avada theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_import_options' function in versions up to, and including, 7.11.1. This makes it possible for authenticated at... • https://patchstack.com/database/vulnerability/avada/wordpress-avada-theme-7-11-1-authenticated-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39312 – WordPress Avada theme <= 7.11.1 - Auth. Unrestricted Zip Extraction vulnerability
https://notcve.org/view.php?id=CVE-2023-39312
10 Aug 2023 — Missing Authorization vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1. Vulnerabilidad de autorización faltante en ThemeFusion Avada. Este problema afecta a Avada: desde n/a hasta 7.11.1. The Avada theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation when extracting zip files in the 'process_upload' and 'regenerate_icon_files' functions in versions up to, and including, 7.11.1. This makes it possible for authenticated attackers w... • https://patchstack.com/database/vulnerability/avada/wordpress-avada-theme-7-11-1-authenticated-author-unrestricted-zip-extraction-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39313 – WordPress Avada theme <= 7.11.1 - Authenticated Server Side Request Forgery (SSRF) vulnerability
https://notcve.org/view.php?id=CVE-2023-39313
10 Aug 2023 — Server-Side Request Forgery (SSRF) vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1. Vulnerabilidad de Server-Side Request Forgery (SSRF) en ThemeFusion Avada. Este problema afecta a Avada: desde n/a hasta 7.11.1. The Avada theme for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 7.11.1 via the 'ajax_import_options' function. This can allow authenticated attackers with contributor privileges to make web requests to arbitrary locat... • https://patchstack.com/database/vulnerability/avada/wordpress-avada-theme-7-11-1-authenticated-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41996 – WordPress Avada premium theme <= 7.8.1 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-41996
21 Sep 2022 — Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el tema premium del ThemeFusion Avada en versiones <= 7.8.1 en WordPress, lo que provoca la instalación/activación arbitraria de complementos. The Avada theme for WordPress is vulnerable to Cross-Site Request forgery in versions up to, and including, 7.8.1 in class-avada-admin.php. This... • https://patchstack.com/database/vulnerability/avada/wordpress-avada-premium-theme-7-8-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 93%CPEs: 2EXPL: 7CVE-2022-1386 – Fusion Builder < 3.6.2 - Unauthenticated SSRF
https://notcve.org/view.php?id=CVE-2022-1386
19 Apr 2022 — The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures. El plugin Fusion Builder de WordPress versiones anteriores a 3.6.2, usado en el tema Avada, no comprueba un parámetro en sus formularios que pod... • https://github.com/ardzz/CVE-2022-1386 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36711 – Avada <= 6.2.2 - Authenticated (Contributor+) Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-36711
24 Apr 2020 — The Avada theme for WordPress is vulnerable to Stored Cross-Site Scripting via the update_layout function in versions up to, and including, 6.2.3 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers, and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://blog.nintechnet.com/avada-wordpress-theme-fixed-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •