Themefusion Avada
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Themefusion Avada.
By the Year
In 2026 there have been 9 vulnerabilities in Themefusion Avada with an average score of 7.1 out of ten. Last year, in 2025 Avada had 2 security vulnerabilities published. That is, 7 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.83.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 9 | 7.13 |
| 2025 | 2 | 5.30 |
| 2024 | 2 | 5.35 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 8.80 |
It may take a day or so for new Avada vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Themefusion Avada Security Vulnerabilities
Avada Builder 3.15.3+ Vulnerable to Unauthenticated File Deletion
CVE-2026-8713
9.1 - Critical
- June 19, 2026
The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.
Directory traversal
Avada <=3.15.3: PHP Object Injection Vulnerability
CVE-2026-12256
8.8 - High
- June 16, 2026
Contributor PHP Object Injection in Avada <= 3.15.3 versions.
Marshaling, Unmarshaling
WordPress Avada Fusion Builder <3.15.2 Stored XSS via Shortcodes
CVE-2026-1543
6.4 - Medium
- May 21, 2026
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user (typically an administrator) accesses a page displaying dynamic user data (such as via the Dynamic Data feature pulling user biographical information).
XSS
Avada Builder WP Plugin 3.15.2: Unauth RCE via PHP Function Injection
CVE-2026-6279
9.8 - Critical
- May 21, 2026
The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards (`[fusion_post_cards]`) or Table of Contents (`[fusion_table_of_contents]`) element. This makes it possible for unauthenticated attackers to execute arbitrary code on affected sites.
Injection
Avada Builder <3.15.3 Arbitrary File Read via fusion_get_svg_from_file
CVE-2026-4782
6.5 - Medium
- May 13, 2026
The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of the 'fusion_section_separator' shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability was partially patched in version 3.15.2 and fully patched in version 3.15.3.
Absolute Path Traversal
Avada Builder WP: Timebased SQLi via product_order (<=3.15.1)
CVE-2026-4798
7.5 - High
- May 13, 2026
The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the product_order parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if WooCommerce was previously used and then deactivated.
SQL Injection
CSRF in ThemeFusion Avada theme (pre7.13.2)
CVE-2025-58922
4.3 - Medium
- April 22, 2026
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada allows Cross Site Request Forgery.This issue affects Avada: from n/a before 7.13.2.
Session Riding
Avada Core <5.15.0 Missing Auth: Incorrect Access Control ThemeFusion
CVE-2026-32453
5.3 - Medium
- March 13, 2026
Missing Authorization vulnerability in ThemeFusion Avada Core fusion-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Avada Core: from n/a through < 5.15.0.
AuthZ
ThemeFusion Avada Core DOM-Based XSS in fusion-core <5.15.0
CVE-2026-32454
6.5 - Medium
- March 13, 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Avada Core fusion-core allows DOM-Based XSS.This issue affects Avada Core: from n/a through < 5.15.0.
XSS
Missing Auth Vulnerability in ThemeFusion Avada 7.13.1 (ACL Bypass)
CVE-2025-64634
5.3 - Medium
- December 16, 2025
Missing Authorization vulnerability in ThemeFusion Avada avada allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Avada: from n/a through <= 7.13.2.
AuthZ
LambertGroup All In One Slider Responsive <=3.7.9: SQLi via special elements
CVE-2025-24748
- July 04, 2025
Missing Authorization vulnerability in ThemeFusion Avada avada.This issue affects Avada: from n/a through <= 7.11.10.
AuthZ
ThemeFusion Avada CSRF before 7.11.10
CVE-2024-54357
4.3 - Medium
- December 16, 2024
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada avada.This issue affects Avada: from n/a through <= 7.11.10.
Session Riding
Avada Theme Stored XSS via Shortcodes up to 7.11.6
CVE-2024-2311
6.4 - Medium
- April 09, 2024
The Avada theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.11.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
ThemeFusion Avada <=7.8.1 CSRF: Arbitrary Plugin Install/Activate
CVE-2022-41996
8.8 - High
- October 27, 2022
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation.
Session Riding
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Themefusion Avada or by Themefusion? Click the Watch button to subscribe.
