364 matches found
WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery
WordPress Fusion Builder plugin before 3.6.2 is susceptible to server-side request forgery. The plugin does not validate a parameter in its forms, which can be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. An attacker can...
Avada < 7.11.7 - Information Disclosure
The Avada theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.11.6 via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada created form with ...
CVE-2026-12536
The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-12536
CVE-2026-12536 : A Stored Cross-Site Scripting flaw in the Avada (Fusion) Builder plugin for WordPress affects all versions up to 3.15.5. It arises from insufficient input sanitization and output escaping in the Module Title parameter. An authenticated attacker with Contributor-level access or hi...
CVE-2026-12536 Avada Builder <= 3.15.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Module Title
The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-8713
The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...
EUVD-2026-37987
The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...
CVE-2026-8713
CVE-2026-8713 affects the Avada (Fusion) Builder plugin for WordPress, specifically versions up to 3.15.3. The root cause is insufficient file path validation in the maybe_delete_files() function, which builds file paths via simple string replacement without realpath containment checks. An unauth...
CVE-2026-8713
The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...
CVE-2026-8713 Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value
The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...
PT-2026-50846
Name of the Vulnerable Software and Affected Versions Avada Fusion Builder versions prior to 3.15.4 Description The Avada Fusion Builder plugin for WordPress contains a flaw allowing unauthenticated attackers to delete arbitrary files on the server. This issue stems from insufficient file path...
Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin
On May 13th, 2026, we received a submission for a critical Unauthenticated Arbitrary File Deletion vulnerability in Avada Builder, a premium WordPress plugin with an estimated 1,000,000 active installations. This vulnerability makes it possible for unauthenticated attackers to delete arbitrary...
CVE-2026-12256
Contributor PHP Object Injection in Avada = 3.15.3 versions...
CVE-2026-12256 WordPress Avada theme <= 3.15.3 - PHP Object Injection vulnerability
Contributor PHP Object Injection in Avada = 3.15.3 versions...
CVE-2026-12256
The CVE concerns WordPress sites using the Avada theme ≤ 3.15.3, where a PHP Object Injection vulnerability exists in the Contributor component. The issue is triggered remotely over the network (attack vector: NETWORK, low complexity, required privileges: LOW, no user interaction). The impact is ...
PT-2026-50085
Contributor PHP Object Injection in Avada = 3.15.3 versions...
Exploit for CVE-2026-6279
Description This Python script is an exploit tool for CVE-2026-6...
CVE-2026-1543
The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2026-1509
The Avada Fusion Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's outputactionhook function accepting user-controlled input to trigger any registered WordPress action hook without proper...
CVE-2026-1541
The Avada Fusion Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's fusiongetpostcustomfield function failing to validate whether metadata keys are protected underscore-prefixed. This makes it...