Themefusion Avada (Fusion) Builder
12 CVEs affecting Themefusion Avada (Fusion) Builder. Latest disclosed: 2026-05-21. Critical: 1, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-6279 | Critical | 9.8 | 2026-05-21 | The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and… |
CVE-2026-4798 | High | 7.5 | 2026-05-13 | The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1… |
CVE-2024-13345 | High | 7.3 | 2025-02-13 | The Avada Builder plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.11.13. This is due to the softwar… |
CVE-2026-4782 | Medium | 6.5 | 2026-05-13 | The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' fun… |
CVE-2026-1543 | Medium | 6.4 | 2026-05-21 | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15… |
CVE-2025-6747 | Medium | 6.4 | 2025-07-16 | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fusion_map' shortcode in all versions up to, and… |
CVE-2025-1665 | Medium | 6.4 | 2025-04-01 | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and… |
CVE-2024-12477 | Medium | 6.4 | 2025-01-22 | The Avada Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.11.11 d… |
CVE-2024-5628 | Medium | 6.4 | 2024-09-13 | The Avada | Website Builder For WordPress & eCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusion_button shortcod… |
CVE-2026-1509 | Medium | 5.4 | 2026-04-15 | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due… |
CVE-2026-1541 | Medium | 4.3 | 2026-04-15 | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to th… |
CVE-2024-12335 | Medium | 4.3 | 2024-12-25 | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.11.12 via the handle_clone_post()… |