cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-12477,https://securityvulnerability.io/vulnerability/CVE-2024-12477,Stored Cross-Site Scripting Vulnerability in Avada Builder Plugin for WordPress,"The Avada Builder plugin for WordPress, present in versions up to and including 3.11.11, suffers from a Stored Cross-Site Scripting vulnerability. This issue arises from inadequate input sanitization and output escaping of user-supplied attributes in the plugin's shortcodes. Consequently, authenticated users with contributor-level access or higher can exploit this vulnerability by injecting arbitrary web scripts into pages. These scripts execute every time a user visits the compromised page, potentially leading to data theft and site manipulation.",Wordpress,Avada (fusion) Builder,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-22T21:21:53.814Z,0
CVE-2024-12335,https://securityvulnerability.io/vulnerability/CVE-2024-12335,Information Exposure Vulnerability in Avada Builder Plugin for WordPress,"The Avada (Fusion) Builder plugin for WordPress has a vulnerability that allows authenticated attackers with contributor-level access and above to exploit information exposure. Through the handle_clone_post() function and the 'fusion_blog' shortcode, the plugin lacks adequate restrictions, enabling unauthorized access to data from password-protected, private, or draft posts. This poses a significant risk as attackers may glean sensitive information they are not permitted to access, potentially compromising user data confidentiality.",Wordpress,Avada (fusion) Builder,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-12-25T06:42:13.625Z,0
CVE-2024-5628,https://securityvulnerability.io/vulnerability/CVE-2024-5628,Stored Cross-Site Scripting Vulnerability Affects Avada Website Builder,"The Avada | Website Builder For WordPress & eCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusion_button shortcode in all versions up to, and including, 3.11.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in 3.11.9. Additional hardening for alternate attack vectors was added to version 3.11.10.",Wordpress,Fusion Builder,5.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-09-13T05:30:55.590Z,0
CVE-2022-1386,https://securityvulnerability.io/vulnerability/CVE-2022-1386,Fusion Builder < 3.6.2 - Unauthenticated SSRF,"The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.",Wordpress,Fusion Builder,9.8,CRITICAL,0.30156999826431274,false,,false,false,true,true,false,false,2022-05-16T14:30:50.000Z,0