Lucene search
+L

364 matches found

nuclei
nuclei
added yesterday115 views

WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery

WordPress Fusion Builder plugin before 3.6.2 is susceptible to server-side request forgery. The plugin does not validate a parameter in its forms, which can be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. An attacker can...

9.8CVSS7.1AI score0.71722EPSS
Exploits6References5
nuclei
nuclei
added yesterday246 views

Avada < 7.11.7 - Information Disclosure

The Avada theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.11.6 via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada created form with ...

5.3CVSS7AI score0.27997EPSS
Exploits1References4
nvd
nvd
added 4 days ago5 views

CVE-2026-12536

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00168EPSS
Exploits0References2
cve
cve
added 4 days ago6 views

CVE-2026-12536

CVE-2026-12536 : A Stored Cross-Site Scripting flaw in the Avada (Fusion) Builder plugin for WordPress affects all versions up to 3.15.5. It arises from insufficient input sanitization and output escaping in the Module Title parameter. An authenticated attacker with Contributor-level access or hi...

6.4CVSS6.2AI score0.00168EPSS
Exploits0References2
cvelist
cvelist
added 4 days ago31 views

CVE-2026-12536 Avada Builder <= 3.15.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Module Title

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00168EPSS
Exploits0References2
nvd
nvd
added 2026/06/19 6:17 a.m.17 views

CVE-2026-8713

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

9.1CVSS0.01193EPSS
Exploits1References2
euvd
euvd
added 2026/06/19 4:31 a.m.16 views

EUVD-2026-37987

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

9.1CVSS6.7AI score0.01193EPSS
Exploits1References2
cve
cve
added 2026/06/19 4:31 a.m.83 views

CVE-2026-8713

CVE-2026-8713 affects the Avada (Fusion) Builder plugin for WordPress, specifically versions up to 3.15.3. The root cause is insufficient file path validation in the maybe_delete_files() function, which builds file paths via simple string replacement without realpath containment checks. An unauth...

9.1CVSS6.7AI score0.01193EPSS
In wildExploits1References2
attackerkb
attackerkb
added 2026/06/19 4:31 a.m.9 views

CVE-2026-8713

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

9.1CVSS6.7AI score0.01193EPSS
Exploits1References3
cvelist
cvelist
added 2026/06/19 4:31 a.m.61 views

CVE-2026-8713 Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

9.1CVSS0.01193EPSS
Exploits1References2
ptsecurity
ptsecurity
added 2026/06/19 12:0 a.m.25 views

PT-2026-50846

Name of the Vulnerable Software and Affected Versions Avada Fusion Builder versions prior to 3.15.4 Description The Avada Fusion Builder plugin for WordPress contains a flaw allowing unauthenticated attackers to delete arbitrary files on the server. This issue stems from insufficient file path...

9.1CVSS6.6AI score0.01193EPSS
Exploits1References27
wordfence
wordfence
added 2026/06/18 4:42 p.m.9 views

Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin

On May 13th, 2026, we received a submission for a critical Unauthenticated Arbitrary File Deletion vulnerability in Avada Builder, a premium WordPress plugin with an estimated 1,000,000 active installations. This vulnerability makes it possible for unauthenticated attackers to delete arbitrary...

9.1CVSS6.6AI score0.01193EPSS
Exploits1
nvd
nvd
added 2026/06/17 1:19 p.m.8 views

CVE-2026-12256

Contributor PHP Object Injection in Avada = 3.15.3 versions...

8.8CVSS0.00482EPSS
Exploits0References1
cvelist
cvelist
added 2026/06/16 8:57 p.m.28 views

CVE-2026-12256 WordPress Avada theme <= 3.15.3 - PHP Object Injection vulnerability

Contributor PHP Object Injection in Avada = 3.15.3 versions...

8.8CVSS0.00482EPSS
Exploits0References1
cve
cve
added 2026/06/16 8:57 p.m.20 views

CVE-2026-12256

The CVE concerns WordPress sites using the Avada theme ≤ 3.15.3, where a PHP Object Injection vulnerability exists in the Contributor component. The issue is triggered remotely over the network (attack vector: NETWORK, low complexity, required privileges: LOW, no user interaction). The impact is ...

8.8CVSS5.3AI score0.00482EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/06/16 12:0 a.m.9 views

PT-2026-50085

Contributor PHP Object Injection in Avada = 3.15.3 versions...

8.8CVSS5.4AI score0.00482EPSS
Exploits0References2
githubexploit
githubexploit
added 2026/06/13 11:27 a.m.105 views

Exploit for CVE-2026-6279

Description This Python script is an exploit tool for CVE-2026-6...

9.8CVSS5.3AI score0.02163EPSS
Exploits4
redhatcve
redhatcve
added 2026/06/05 7:34 p.m.10 views

CVE-2026-1543

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

6.4CVSS5.6AI score0.00337EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:34 p.m.11 views

CVE-2026-1509

The Avada Fusion Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's outputactionhook function accepting user-controlled input to trigger any registered WordPress action hook without proper...

5.4CVSS5.9AI score0.0031EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:34 p.m.13 views

CVE-2026-1541

The Avada Fusion Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's fusiongetpostcustomfield function failing to validate whether metadata keys are protected underscore-prefixed. This makes it...

4.3CVSS5.4AI score0.00269EPSS
Exploits0References1
Rows per page
Query Builder