cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-12477,https://securityvulnerability.io/vulnerability/CVE-2024-12477,Stored Cross-Site Scripting Vulnerability in Avada Builder Plugin for WordPress,"The Avada Builder plugin for WordPress, present in versions up to and including 3.11.11, suffers from a Stored Cross-Site Scripting vulnerability. This issue arises from inadequate input sanitization and output escaping of user-supplied attributes in the plugin's shortcodes. Consequently, authenticated users with contributor-level access or higher can exploit this vulnerability by injecting arbitrary web scripts into pages. These scripts execute every time a user visits the compromised page, potentially leading to data theft and site manipulation.",Wordpress,Avada (fusion) Builder,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-22T21:21:53.814Z,0
CVE-2024-12335,https://securityvulnerability.io/vulnerability/CVE-2024-12335,Information Exposure Vulnerability in Avada Builder Plugin for WordPress,"The Avada (Fusion) Builder plugin for WordPress has a vulnerability that allows authenticated attackers with contributor-level access and above to exploit information exposure. Through the handle_clone_post() function and the 'fusion_blog' shortcode, the plugin lacks adequate restrictions, enabling unauthorized access to data from password-protected, private, or draft posts. This poses a significant risk as attackers may glean sensitive information they are not permitted to access, potentially compromising user data confidentiality.",Wordpress,Avada (fusion) Builder,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-12-25T06:42:13.625Z,0
CVE-2024-2311,https://securityvulnerability.io/vulnerability/CVE-2024-2311,Stored Cross-Site Scripting Vulnerability in Avada Theme Affects User Supplied Attributes,"The Avada theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.11.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Avada | Website Builder For WordPress & WooCommerce,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-04-09T18:59:36.184Z,0
CVE-2024-2344,https://securityvulnerability.io/vulnerability/CVE-2024-2344,Avada Theme Vulnerable to SQL Injection,"The Avada theme for WordPress, developed by ThemeFusion, is exposed to a SQL Injection vulnerability due to improper handling of the 'entry' parameter. This security flaw, present in all versions up to and including 7.11.6, arises from insufficient sanitization and escaping of user input, leading to the potential for authenticated attackers with editor-level access or higher to manipulate existing SQL queries. Consequently, this may allow them to append malicious SQL commands, enabling them to extract sensitive information stored within the database, thereby compromising the security of WordPress sites utilizing this theme.",Wordpress,Avada | Website Builder For WordPress & WooCommerce,7.2,HIGH,0.00044999999227002263,false,,false,false,false,,false,false,2024-04-09T18:59:22.329Z,0
CVE-2024-2340,https://securityvulnerability.io/vulnerability/CVE-2024-2340,Sensitive Information Exposure in Avada Theme for WordPress,"The Avada theme for WordPress contains a vulnerability that enables unauthenticated attackers to access sensitive information through the '/wp-content/uploads/fusion-forms/' directory. This flaw permits unauthorized extraction of files submitted via forms created using the Avada theme, potentially leading to data breaches and compromised privacy. All versions up to and including 7.11.6 are affected, highlighting the need for immediate updates and security measures to protect user data.",Wordpress,Avada | Website Builder For WordPress & WooCommerce,5.3,MEDIUM,0.000590000010561198,false,,false,false,false,,false,false,2024-04-09T18:59:06.567Z,0
CVE-2024-2343,https://securityvulnerability.io/vulnerability/CVE-2024-2343,Server-Side Request Forgery in Avada Website Builder for WordPress,"The Avada Website Builder for WordPress is exposed to vulnerabilities in its functionality, allowing authenticated users with contributor-level access and above to conduct Server-Side Request Forgery (SSRF) attacks. This flaw exists within the form_to_url_action function, enabling attackers to send unauthorized web requests to arbitrary locations. Such access can potentially compromise sensitive information and modify data in internal services, highlighting the importance of security patches and vigilance in maintaining WordPress applications.",Wordpress,Avada | Website Builder For WordPress & WooCommerce,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-04-09T18:59:03.916Z,0
CVE-2024-1668,https://securityvulnerability.io/vulnerability/CVE-2024-1668,Sensitive Information Exposure Vulnerability Affects Avada Website Builder,"The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attackers, with contributor access and above, to view the contents of all form submissions, including fields that are obfuscated (such as the contact form's ""password"" field).",Wordpress,Avada | Website Builder For WordPress & WooCommerce,6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-03-13T15:32:40.387Z,0
CVE-2024-1468,https://securityvulnerability.io/vulnerability/CVE-2024-1468,Arbitrary File Uploads Vulnerability Affects Avada Website Builder,"The Avada Website Builder for WordPress & WooCommerce theme has a vulnerability that allows authenticated users with contributor-level access and above to perform arbitrary file uploads. This security flaw originates from inadequate file type validation in the ajax_import_options() function, present in all versions up to and including 7.11.4. If exploited, this vulnerability could lead to unauthorized files being uploaded to the server, potentially enabling remote code execution and other malicious activities. Website administrators are urged to take immediate action to mitigate associated risks.",Wordpress,Avada | Website Builder For WordPress & WooCommerce,8.8,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-02-29T03:30:29.778Z,0
CVE-2020-36711,https://securityvulnerability.io/vulnerability/CVE-2020-36711,Stored Cross-Site Scripting in Avada Theme for WordPress,"The Avada theme for WordPress is susceptible to Stored Cross-Site Scripting through the update_layout function, as found in versions up to and including 6.2.3. This vulnerability arises from inadequate input sanitization and output escaping, allowing attackers with contributor-level access and above to inject malicious web scripts into pages. The compromised pages may execute the injected scripts in the browsers of unsuspecting users, leading to potential data theft or further exploitation.",Wordpress,Avada | Website Builder For WordPress & WooCommerce,6.4,MEDIUM,0.0008900000248104334,false,,false,false,false,,false,false,2023-06-07T01:51:24.728Z,0
CVE-2022-41996,https://securityvulnerability.io/vulnerability/CVE-2022-41996,WordPress Avada premium theme <= 7.8.1 - Cross-Site Request Forgery (CSRF) vulnerability,Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation.,Wordpress,Avada (premium WordPress Theme),8.8,HIGH,0.00139999995008111,false,,false,false,false,,false,false,2022-10-27T17:15:00.000Z,0
CVE-2017-18607,https://securityvulnerability.io/vulnerability/CVE-2017-18607,,The avada theme before 5.1.5 for WordPress has CSRF.,Wordpress,Avada,8.8,HIGH,0.0010000000474974513,false,,false,false,false,,false,false,2019-09-10T11:18:24.000Z,0
CVE-2017-18606,https://securityvulnerability.io/vulnerability/CVE-2017-18606,,The avada theme before 5.1.5 for WordPress has stored XSS.,Wordpress,Avada,6.1,MEDIUM,0.0006200000061653554,false,,false,false,false,,false,false,2019-09-10T11:17:26.000Z,0