Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

ThemeFusion — Vulnerabilities & Security Advisories 45

Browse all 45 CVE security advisories affecting ThemeFusion. AI-powered Chinese analysis, POCs, and references for each vulnerability.

ThemeFusion operates primarily as a developer of WordPress themes and plugins, most notably the Avada framework, which powers a significant portion of the web. Security audits reveal a concerning history, with 36 recorded Common Vulnerabilities and Exposures (CVEs) associated with its ecosystem. These flaws predominantly involve remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from insufficient input validation and improper sanitization of user-supplied data within plugin functionalities. While the company maintains an active support channel for patching, the sheer volume of disclosed issues highlights systemic weaknesses in their development lifecycle. Recent incidents have largely focused on unauthenticated access vectors that allow attackers to execute arbitrary commands or hijack administrative sessions. This pattern suggests that while the software is widely adopted, its security posture has historically lagged behind industry standards, requiring rigorous third-party scrutiny and immediate updates to mitigate exploitation risks.

Top products by ThemeFusion: Avada (Fusion) Builder Fusion Builder Avada Avada | Website Builder For WordPress & WooCommerce Avada Core Avada (premium WordPress theme)
CVE IDTitleCVSSSeverityPublished
CVE-2026-56008 WordPress Fusion Builder plugin <= 3.15.4 - Privilege Escalation vulnerability — Fusion BuilderCWE-266 8.8 High2026-06-26
CVE-2026-8713 Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value — Avada (Fusion) BuilderCWE-22 9.1 Critical2026-06-19
CVE-2026-54193 WordPress Fusion Builder plugin <= 3.15.4 - Arbitrary File Deletion vulnerability — Fusion BuilderCWE-22 7.7 High2026-06-17
CVE-2026-12256 WordPress Avada theme <= 3.15.3 - PHP Object Injection vulnerability — AvadaCWE-502 8.8 High2026-06-16
CVE-2026-54194 WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injection vulnerability — Fusion BuilderCWE-502 9.8 Critical2026-06-16
CVE-2026-1543 Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Shortcodes — Avada (Fusion) BuilderCWE-79 6.4 Medium2026-05-21
CVE-2026-6279 Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler — Avada (Fusion) BuilderCWE-74 9.8 Critical2026-05-21
CVE-2026-4798 Avada Builder <= 3.15.1 - Unauthenticated SQL Injection via 'product_order' Parameter — Avada (Fusion) BuilderCWE-89 7.5 High2026-05-13
CVE-2026-4782 Avada Builder <= 3.15.2 - Authenticated (Subscriber+) Arbitrary File Read via 'custom_svg' Shortcode Parameter — Avada (Fusion) BuilderCWE-36 6.5 Medium2026-05-13
CVE-2025-58922 WordPress Avada theme < 7.13.2 - Cross Site Request Forgery (CSRF) vulnerability — AvadaCWE-352 4.3 Medium2026-04-22
CVE-2026-1509 Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Limited Arbitrary WordPress Action Execution — Avada (Fusion) BuilderCWE-94 5.4 Medium2026-04-15
CVE-2026-1541 Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference — Avada (Fusion) BuilderCWE-639 4.3 Medium2026-04-15
CVE-2026-32542 WordPress Fusion Builder plugin < 3.15.0 - Reflected Cross Site Scripting (XSS) vulnerability — Fusion BuilderCWE-79 7.1 High2026-03-25
CVE-2026-32452 WordPress Fusion Builder plugin < 3.15.0 - Broken Access Control vulnerability — Fusion BuilderCWE-862 5.3 Medium2026-03-13
CVE-2026-32454 WordPress Avada Core plugin < 5.15.0 - Cross Site Scripting (XSS) vulnerability — Avada CoreCWE-79 6.5 Medium2026-03-13
CVE-2026-32453 WordPress Avada Core plugin < 5.15.0 - Broken Access Control vulnerability — Avada CoreCWE-862 5.3 Medium2026-03-13
CVE-2026-32451 WordPress Fusion Builder plugin < 3.15.0 - Broken Access Control vulnerability — Fusion BuilderCWE-862 6.5 Medium2026-03-13
CVE-2026-25472 WordPress Fusion Builder plugin <= 3.14.1 - Cross Site Scripting (XSS) vulnerability — Fusion BuilderCWE-79 6.5 Medium2026-02-19
CVE-2025-64634 WordPress Avada theme <= 7.13.2 - Broken Access Control vulnerability — AvadaCWE-862 5.3 Medium2025-12-16
CVE-2025-49940 WordPress Fusion Builder plugin <= 3.13.2 - Cross Site Scripting (XSS) vulnerability — Fusion BuilderCWE-79 6.5 Medium2025-10-22
CVE-2025-6747 Avada (Fusion) Builder <= 3.12.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Avada (Fusion) BuilderCWE-79 6.4 Medium2025-07-16
CVE-2025-24748 WordPress Avada theme <= 7.11.10 - Broken Access Control vulnerability — AvadaCWE-862 5.3 Medium2025-07-04
CVE-2025-1665 Avada Builder <= 3.11.14 - Authenticated (Contributor+) Stored Cross-Site Scripting — Avada (Fusion) BuilderCWE-79 6.4 Medium2025-04-01
CVE-2024-13345 Avada Builder <= 3.11.13 - Unauthenticated Arbitrary Shortcode Execution — Avada (Fusion) BuilderCWE-94 7.3 High2025-02-13
CVE-2024-13346 Avada Theme <= 7.11.13 - Unauthenticated Arbitrary Shortcode Execution — Avada | Website Builder For WordPress & WooCommerceCWE-94 7.3 High2025-02-13
CVE-2024-12477 Avada Builder <= 3.11.11 - Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets — Avada (Fusion) BuilderCWE-79 6.4 Medium2025-01-22
CVE-2024-12335 Avada Builder <= 3.11.12 - Authenticated (Contributor+) Protected Post Disclosure — Avada (Fusion) BuilderCWE-639 4.3 Medium2024-12-25
CVE-2024-54357 WordPress Avada theme <= 7.11.10 - Cross Site Request Forgery (CSRF) vulnerability — AvadaCWE-352 4.3 Medium2024-12-16
CVE-2024-5628 Avada | Website Builder For WordPress & eCommerce <= 3.11.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via fusion_button Shortcode — Avada (Fusion) BuilderCWE-79 6.4 Medium2024-09-13
CVE-2023-39312 WordPress Avada theme <= 7.11.1 - Auth. Unrestricted Zip Extraction vulnerability — AvadaCWE-862 9.1 Critical2024-06-19

This page lists every published CVE security advisory associated with ThemeFusion. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.