Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

ThemeFusion — Vulnerabilities & Security Advisories 45

Browse all 45 CVE security advisories affecting ThemeFusion. AI-powered Chinese analysis, POCs, and references for each vulnerability.

ThemeFusion operates primarily as a developer of WordPress themes and plugins, most notably the Avada framework, which powers a significant portion of the web. Security audits reveal a concerning history, with 36 recorded Common Vulnerabilities and Exposures (CVEs) associated with its ecosystem. These flaws predominantly involve remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from insufficient input validation and improper sanitization of user-supplied data within plugin functionalities. While the company maintains an active support channel for patching, the sheer volume of disclosed issues highlights systemic weaknesses in their development lifecycle. Recent incidents have largely focused on unauthenticated access vectors that allow attackers to execute arbitrary commands or hijack administrative sessions. This pattern suggests that while the software is widely adopted, its security posture has historically lagged behind industry standards, requiring rigorous third-party scrutiny and immediate updates to mitigate exploitation risks.

CVE IDTitleCVSSSeverityPublished
CVE-2023-39310 WordPress Avada Builder plugin <= 3.11.1 - Authenticated Broken Access Control vulnerability — Fusion BuilderCWE-862 5.4 Medium2024-06-19
CVE-2023-39922 WordPress Avada theme <= 7.11.1 - Authenticated Broken Access Control vulnerability — AvadaCWE-862 4.3 Medium2024-06-19
CVE-2024-2311 Avada <= 7.11.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Avada | Website Builder For WordPress & WooCommerceCWE-79 6.4 Medium2024-04-09
CVE-2024-2344 Avada <= 7.11.6 - Authenticated (Admin+) SQL Injection via entry — Avada | Website Builder For WordPress & WooCommerceCWE-89 7.2 High2024-04-09
CVE-2024-2340 Avada <= 7.11.6 - Unauthenticated Sensitive Information Exposure via Form Uploads Directory Listing — Avada | Website Builder For WordPress & WooCommerceCWE-548 5.3 Medium2024-04-09
CVE-2024-2343 Avada <= 7.11.6 - Authenticated (Contributor+) Server-Side Request Forgery via form_to_url_action — Avada | Website Builder For WordPress & WooCommerceCWE-918 6.4 Medium2024-04-09
CVE-2023-39309 WordPress Avada Builder plugin <= 3.11.1 - Auth. SQL Injection vulnerability — Fusion BuilderCWE-89 8.5 High2024-03-28
CVE-2023-39313 WordPress Avada theme <= 7.11.1 - Authenticated Server Side Request Forgery (SSRF) vulnerability — AvadaCWE-918 7.7 High2024-03-28
CVE-2023-39311 WordPress Avada Builder plugin <= 3.11.1 - Cross Site Request Forgery (CSRF) vulnerability — Fusion BuilderCWE-352 7.1 High2024-03-27
CVE-2023-39306 WordPress Avada Builder plugin <= 3.11.1 - Reflected Cross Site Scripting (XSS) vulnerability — Fusion BuilderCWE-79 7.1 High2024-03-27
CVE-2023-39307 WordPress Avada theme <= 7.11.1 - Authenticated Arbitrary File Upload vulnerability — AvadaCWE-434 8.5 High2024-03-26
CVE-2024-1668 Avada <= 7.11.5 - Authenticated(Contributor+) Sensitive Information Exposure via Form Entries — Avada | Website Builder For WordPress & WooCommerceCWE-284 6.5 Medium2024-03-13
CVE-2024-1468 Avada | Website Builder For WordPress & WooCommerce <= 7.11.4 - Authenticated (Contributor+) Arbitrary File Upload — Avada | Website Builder For WordPress & WooCommerceCWE-434 8.8 High2024-02-29
CVE-2020-36711 Avada <= 6.2.2 - Authenticated (Contributor+) Cross-Site Scripting — Avada | Website Builder For WordPress & WooCommerceCWE-79 6.4 Medium2023-06-07
CVE-2022-41996 WordPress Avada premium theme <= 7.8.1 - Cross-Site Request Forgery (CSRF) vulnerability — Avada (premium WordPress theme)CWE-352 8.8 High2022-10-27

This page lists every published CVE security advisory associated with ThemeFusion. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.