Lucene search
+L

106 matches found

NVD
NVD
added 5 days ago5 views

CVE-2026-12536

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00168EPSS
Exploits0References2
CVE
CVE
added 5 days ago6 views

CVE-2026-12536

CVE-2026-12536 : A Stored Cross-Site Scripting flaw in the Avada (Fusion) Builder plugin for WordPress affects all versions up to 3.15.5. It arises from insufficient input sanitization and output escaping in the Module Title parameter. An authenticated attacker with Contributor-level access or hi...

6.4CVSS6.2AI score0.00168EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-12536 Avada Builder <= 3.15.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Module Title

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00168EPSS
Exploits0References2
NVD
NVD
added 2026/06/19 6:17 a.m.18 views

CVE-2026-8713

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

9.1CVSS0.01193EPSS
Exploits1References2
CVE
CVE
added 2026/06/19 4:31 a.m.87 views

CVE-2026-8713

CVE-2026-8713 affects the Avada (Fusion) Builder plugin for WordPress, specifically versions up to 3.15.3. The root cause is insufficient file path validation in the maybe_delete_files() function, which builds file paths via simple string replacement without realpath containment checks. An unauth...

9.1CVSS6.7AI score0.01193EPSS
In wildExploits1References2
ATTACKERKB
ATTACKERKB
added 2026/06/19 4:31 a.m.9 views

CVE-2026-8713

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

9.1CVSS6.7AI score0.01193EPSS
Exploits1References3
EUVD
EUVD
added 2026/06/19 4:31 a.m.17 views

EUVD-2026-37987

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

9.1CVSS6.7AI score0.01193EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/06/19 4:31 a.m.62 views

CVE-2026-8713 Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

9.1CVSS0.01193EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.27 views

PT-2026-50846

Name of the Vulnerable Software and Affected Versions Avada Fusion Builder versions prior to 3.15.4 Description The Avada Fusion Builder plugin for WordPress contains a flaw allowing unauthenticated attackers to delete arbitrary files on the server. This issue stems from insufficient file path...

9.1CVSS6.6AI score0.01193EPSS
Exploits1References27
Wordfence Blog
Wordfence Blog
added 2026/06/18 4:42 p.m.11 views

Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin

On May 13th, 2026, we received a submission for a critical Unauthenticated Arbitrary File Deletion vulnerability in Avada Builder, a premium WordPress plugin with an estimated 1,000,000 active installations. This vulnerability makes it possible for unauthenticated attackers to delete arbitrary...

9.1CVSS6.6AI score0.01193EPSS
Exploits1
GithubExploit
GithubExploit
added 2026/06/13 11:27 a.m.109 views

Exploit for CVE-2026-6279

Description This Python script is an exploit tool for CVE-2026-6...

9.8CVSS5.3AI score0.02163EPSS
Exploits4
RedhatCVE
RedhatCVE
added 2026/06/05 7:34 p.m.13 views

CVE-2026-1509

The Avada Fusion Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's outputactionhook function accepting user-controlled input to trigger any registered WordPress action hook without proper...

5.4CVSS5.9AI score0.0031EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:34 p.m.14 views

CVE-2026-1541

The Avada Fusion Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's fusiongetpostcustomfield function failing to validate whether metadata keys are protected underscore-prefixed. This makes it...

4.3CVSS5.4AI score0.00269EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.14 views

CVE-2026-6279

The Avada Builder fusion-builder plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the wpconditionaltags case in FusionBuilderConditionalRenderHelper::getvalue passing attacker-controlled...

9.8CVSS6.2AI score0.02163EPSS
Exploits4References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:14 p.m.10 views

CVE-2026-4798

The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘productorder’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

7.5CVSS5.7AI score0.00511EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2026/05/23 9:33 a.m.185 views

Exploit for CVE-2026-6279

CVE-2026-6279 Avada Builder = 3.15.2 — Unauthenticated RCE v...

9.8CVSS5.8AI score0.02163EPSS
Exploits4
GithubExploit
GithubExploit
added 2026/05/23 6:36 a.m.178 views

Exploit for CVE-2026-6279

CVE-2026-6279 CVE-2026-6279: Avada Fusion Builder = 3.15...

9.8CVSS6.2AI score0.02163EPSS
Exploits4
NVD
NVD
added 2026/05/21 5:16 a.m.38 views

CVE-2026-6279

The Avada Builder fusion-builder plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the wpconditionaltags case in FusionBuilderConditionalRenderHelper::getvalue passing attacker-controlled...

9.8CVSS0.02163EPSS
Exploits4References12
NVD
NVD
added 2026/05/21 5:16 a.m.33 views

CVE-2026-1543

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

6.4CVSS0.00337EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/21 4:28 a.m.55 views

CVE-2026-1543 Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Shortcodes

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

6.4CVSS0.00337EPSS
Exploits0References3
Rows per page
Query Builder