Vulnerabilities > Theme Fusion > Avada Builder
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-04-01 | CVE-2025-1665 | Cross-site Scripting vulnerability in Theme-Fusion Avada Builder The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 3.11.14 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2025-02-13 | CVE-2024-13345 | Code Injection vulnerability in Theme-Fusion Avada Builder The Avada Builder plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.11.13. | 9.8 |
| 2025-01-22 | CVE-2024-12477 | Cross-site Scripting vulnerability in Theme-Fusion Avada Builder 3.11.11 The Avada Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.11.11 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2024-12-25 | CVE-2024-12335 | Authorization Bypass Through User-Controlled Key vulnerability in Theme-Fusion Avada Builder 3.11.11/3.11.12 The Avada (Fusion) Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.11.12 via the handle_clone_post() function and the 'fusion_blog' shortcode and due to insufficient restrictions on which posts can be included. | 4.3 |