CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

100 matches found

EUVD-2026-37987

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

9.1CVSS6.7AI score

Exploits0References2

CVE•added yesterday•12 views

CVE-2026-8713

The CVE-2026-8713 vulnerability affects Avada (Fusion) Builder for WordPress up to version 3.15.3, where the maybe_delete_files() path handling allows path traversal to delete files (e.g., wp-config.php) via a form entry value. An unauthenticated attacker can submit a crafted payload through the ...

9.1CVSS6.7AI score

Exploits0References2

Positive Technologies•added yesterday•8 views

PT-2026-50846

Name of the Vulnerable Software and Affected Versions Avada Fusion Builder versions prior to 3.15.4 Description Insufficient file path validation in the maybe delete files function allows unauthenticated attackers to delete arbitrary files on the server. This issue can lead to remote code executi...

9.1CVSS6.7AI score

Exploits0References11

Wordfence Blog•added 2 days ago•5 views

Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin

On May 13th, 2026, we received a submission for a critical Unauthenticated Arbitrary File Deletion vulnerability in Avada Builder, a premium WordPress plugin with an estimated 1,000,000 active installations. This vulnerability makes it possible for unauthenticated attackers to delete arbitrary...

9.1CVSS6.6AI score

Exploits0

GithubExploit•added 2026/06/13 11:27 a.m.•68 views

Exploit for CVE-2026-6279

Description This Python script is an exploit tool for CVE-2026-6...

9.8CVSS5.3AI score0.01462EPSS

Exploits4

RedhatCVE•added 2026/06/05 7:34 p.m.•6 views

CVE-2026-1509

The Avada Fusion Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's outputactionhook function accepting user-controlled input to trigger any registered WordPress action hook without proper...

5.4CVSS5.9AI score0.0031EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:34 p.m.•6 views

CVE-2026-1541

The Avada Fusion Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's fusiongetpostcustomfield function failing to validate whether metadata keys are protected underscore-prefixed. This makes it...

4.3CVSS5.4AI score0.00269EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:17 p.m.•8 views

CVE-2026-6279

The Avada Builder fusion-builder plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the wpconditionaltags case in FusionBuilderConditionalRenderHelper::getvalue passing attacker-controlled...

9.8CVSS6.2AI score0.01462EPSS

Exploits4References1

RedhatCVE•added 2026/06/05 7:14 p.m.•7 views

CVE-2026-4798

The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘productorder’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

7.5CVSS5.7AI score0.00357EPSS

Exploits0References1

GithubExploit•added 2026/05/23 9:33 a.m.•102 views

Exploit for CVE-2026-6279

CVE-2026-6279 Avada Builder = 3.15.2 — Unauthenticated RCE v...

9.8CVSS5.8AI score0.01462EPSS

Exploits4

GithubExploit•added 2026/05/23 6:36 a.m.•89 views

Exploit for CVE-2026-6279

CVE-2026-6279 CVE-2026-6279: Avada Fusion Builder = 3.15...

9.8CVSS6.2AI score0.01462EPSS

Exploits4

NVD•added 2026/05/21 5:16 a.m.•14 views

CVE-2026-6279

9.8CVSS0.01462EPSS

Exploits4References12

NVD•added 2026/05/21 5:16 a.m.•18 views

CVE-2026-1543

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

6.4CVSS0.00258EPSS

Exploits0References3

Vulnrichment•added 2026/05/21 4:28 a.m.•7 views

CVE-2026-1543 Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Shortcodes

6.4CVSS6AI score0.00258EPSS

Exploits0References3

CVE•added 2026/05/21 4:28 a.m.•19 views

CVE-2026-1543

CVE-2026-1543 concerns the Avada (Fusion) Builder WordPress plugin. All versions up to and including 3.15.2 are affected by a Stored Cross-Site Scripting (XSS) flaw due to insufficient input sanitization and output escaping. The vulnerability can be exploited by an authenticated attacker with Sub...

6.4CVSS6AI score0.00258EPSS

Exploits0References3

Cvelist•added 2026/05/21 4:28 a.m.•44 views

CVE-2026-1543 Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Shortcodes

6.4CVSS0.00258EPSS

Exploits0References3

EUVD•added 2026/05/21 4:28 a.m.•14 views

EUVD-2026-31211

6.4CVSS6AI score0.00258EPSS

Exploits0References3

EUVD•added 2026/05/21 4:27 a.m.•12 views

EUVD-2026-31209

9.8CVSS6.3AI score0.01462EPSS

Exploits4References12

ATTACKERKB•added 2026/05/21 4:27 a.m.•12 views

CVE-2026-6279

9.8CVSS6.3AI score0.01462EPSS

Exploits4References13

Cvelist•added 2026/05/21 4:27 a.m.•41 views

CVE-2026-6279 Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler

9.8CVSS0.01462EPSS

Exploits4References12

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by