Avada

Avada

Vulnerabilities:

21

Last Updated:

December 19, 2025

Active Installs:

n/a

Published
Title
Fixed in
CVSS
Published
2025-10-03
Title
Avada <= 7.13.2 - Missing Authorization
Fixed in
Fixed in 7.13.3
CVSS
4.3 (medium)
Published
2025-02-12
Title
Avada Theme < 7.11.14 - Unauthenticated Arbitrary Shortcode Execution
Fixed in
Fixed in 7.11.14
CVSS
7.3 (high)
Published
2025-01-24
Title
Avada < 7.11.11 - Missing Authorization
Fixed in
Fixed in 7.11.11
CVSS
5.3 (medium)
Published
2024-12-11
Title
Avada < 7.11.11 - Cross-Site Request Forgery
Fixed in
Fixed in 7.11.11
CVSS
4.3 (medium)
Published
2024-03-20
Title
Avada < 7.11.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Fixed in
Fixed in 7.11.7
CVSS
6.4 (medium)
Published
2024-03-20
Title
Avada < 7.11.7 - Authenticated (Admin+) SQL Injection via entry
Fixed in
Fixed in 7.11.7
CVSS
7.2 (high)
Published
2024-03-20
Title
Avada < 7.11.7 - Unauthenticated Sensitive Information Exposure via Form Uploads Directory Listing
Fixed in
Fixed in 7.11.7
CVSS
5.3 (medium)
Published
2024-03-20
Title
Avada < 7.11.7 - Authenticated (Contributor+) Server-Side Request Forgery via form_to_url_action
Fixed in
Fixed in 7.11.7
CVSS
6.4 (medium)
Published
2024-02-28
Title
Avada | Website Builder For WordPress & WooCommerce < 7.11.5 - Authenticated (Contributor+) Arbitrary File Upload
Fixed in
Fixed in 7.11.5
CVSS
8.8 (high)
Published
2024-01-29
Title
Avada < 7.11.2 - Subscriber+ Portfolio Permalinks Creation
Fixed in
Fixed in 7.11.2
CVSS
4.3 (medium)
Published
2024-01-29
Title
Avada < 7.11.2 - Author+ Arbitrary File Upload via Zip Extraction
Fixed in
Fixed in 7.11.2
CVSS
7.2 (high)
Published
2024-01-29
Title
Avada < 7.11.2 - Contributor+ SSRF
Fixed in
Fixed in 7.11.2
CVSS
8.5 (high)
Published
2024-01-29
Title
Avada < 7.11.2 - Contributor+ Arbitrary File Upload
Fixed in
Fixed in 7.11.2
CVSS
6.6 (medium)
Published
2022-10-20
Title
Avada < 7.8.2 - Arbitrary Plugin Instalation/Activation via CRSF
Fixed in
Fixed in 7.8.2
CVSS
8.8 (high)
Published
2022-04-19
Title
Fusion Builder < 3.6.2 - Unauthenticated SSRF
Fixed in
Fixed in 7.6.2
CVSS
8.6 (high)
Published
2021-09-13
Title
Avada < 7.4.2 - Reflected Cross-Site Scripting
Fixed in
Fixed in 7.4.2
CVSS
6.1 (medium)
Published
2021-09-10
Title
Avada < 7.4.2 - Stored Cross-Site Scripting
Fixed in
Fixed in 7.4.2
CVSS
n/a
Published
2020-05-01
Title
Avada < 6.2.3 - Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS
Fixed in
Fixed in 6.2.3
CVSS
8.5 (high)
Published
2017-04-26
Title
Avada Theme <= 5.1.4 - Stored Cross-Site Scripting (XSS) & CSRF
Fixed in
Fixed in 5.1.5
CVSS
8.8 (high)
Published
2015-02-11
Title
WordPress Slider Revolution - Local File Disclosure
Fixed in
Fixed in 3.4
CVSS
7.5 (high)
Published
2014-11-30
Title
WordPress Slider Revolution Shell Upload
Fixed in
Fixed in 3.4
CVSS
9.4 (critical)