Themefusion

By the Year

In 2026 there have been 17 vulnerabilities in Themefusion with an average score of 6.9 out of ten. Last year, in 2025 Themefusion had 8 security vulnerabilities published. That is, 9 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.34.

Recent Themefusion Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-8713	Jun 19, 2026	Avada Builder 3.15.3+ Vulnerable to Unauthenticated File Deletion The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.	Avada
CVE-2026-54193	Jun 17, 2026	Fusion Builder <=3.15.4 Arbitrary File Deletion Contributor Arbitrary File Deletion in Fusion Builder <= 3.15.4 versions.	Fusion Builder
CVE-2026-12256	Jun 16, 2026	Avada <=3.15.3: PHP Object Injection Vulnerability Contributor PHP Object Injection in Avada <= 3.15.3 versions.	Avada
CVE-2026-54194	Jun 16, 2026	PHP Object Injection in Fusion Builder <= 3.15.4 Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.	Fusion Builder
CVE-2026-1543	May 21, 2026	WordPress Avada Fusion Builder <3.15.2 Stored XSS via Shortcodes The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user (typically an administrator) accesses a page displaying dynamic user data (such as via the Dynamic Data feature pulling user biographical information).	Avada
CVE-2026-6279	May 21, 2026	Avada Builder WP Plugin 3.15.2: Unauth RCE via PHP Function Injection The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards (`[fusion_post_cards]`) or Table of Contents (`[fusion_table_of_contents]`) element. This makes it possible for unauthenticated attackers to execute arbitrary code on affected sites.	Avada
CVE-2026-4782	May 13, 2026	Avada Builder <3.15.3 Arbitrary File Read via fusion_get_svg_from_file The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of the 'fusion_section_separator' shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability was partially patched in version 3.15.2 and fully patched in version 3.15.3.	Avada
CVE-2026-4798	May 13, 2026	Avada Builder WP: Timebased SQLi via product_order (<=3.15.1) The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the product_order parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if WooCommerce was previously used and then deactivated.	Avada
CVE-2025-58922	Apr 22, 2026	CSRF in ThemeFusion Avada theme (pre7.13.2) Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada allows Cross Site Request Forgery.This issue affects Avada: from n/a before 7.13.2.	Avada
CVE-2026-1509	Apr 15, 2026	Avada (Fusion) Builder WP Plugin <3.15.1 Arbitrary Action Exec Vulnerability The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation, file inclusion, denial of service, or other security impacts depending on which action hooks are available in the WordPress installation.	Fusion Builder