Where should operators start on this Theme hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Theme Vulnerability Hub

Theme 20 known issues Latest disclosed Oct 03, 2025

Avada | Website Builder For WordPress & WooCommerce Vulnerabilities

Q: Which Avada | Website Builder For WordPress & WooCommerce CVEs are tracked?

Avada | Website Builder For WordPress & WooCommerce tracked CVEs include CVE-2024-1468, CVE-2023-39312, CVE-2022-41996, CVE-2017-18607, and CVE-2023-39313.

Q: How many Avada | Website Builder For WordPress & WooCommerce vulnerabilities have patch guidance?

20 of 20 tracked Avada | Website Builder For WordPress & WooCommerce records include a published patch path.

Review known vulnerability records for the WordPress theme Avada | Website Builder For WordPress & WooCommerce (`avada`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-64634, CVE-2024-13346 and CVE-2025-24748, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Feb 06, 2026

Priority CVE Quick Links

Fast paths into Avada | Website Builder For WordPress & WooCommerce CVE reports

Start with the highest-signal CVE records for this WordPress theme before scanning the full vulnerability feed.

Indexed CVEs

CVE-2024-1468 High 7.11.5

CVE-2024-1468 Avada | Website Builder For WordPress & WooCommerce Remote Code Execution

Avada | Website Builder For WordPress & WooCommerce <= 7.11.4 - Authenticated (Contributor+) Arbitrary File Upload

CVE-2023-39312 High 7.11.2

CVE-2023-39312 Avada | Website Builder For WordPress & WooCommerce Remote Code Execution

Avada <= 7.11.1 - Authenticated(Author+) Arbitrary File Upload via Zip Extraction

CVE-2022-41996 High 7.8.2

CVE-2022-41996 Avada | Website Builder For WordPress & WooCommerce Cross-Site Request Forgery

Avada <= 7.8.1 - Cross-Site Request Forgery

CVE-2017-18607 High 5.1.5

CVE-2017-18607 Avada | Website Builder For WordPress & WooCommerce Cross-Site Request Forgery

Avada <= 5.1.4 - Cross-Site Request Forgery

CVE-2023-39313 High 7.11.2

CVE-2023-39313 Avada | Website Builder For WordPress & WooCommerce Server-Side Request Forgery

Avada <= 7.11.1 - Authenticated(Contributor+) Server Side Request Forgery via 'ajax_import_options'

CVE-2023-39307 High 7.11.2

CVE-2023-39307 Avada | Website Builder For WordPress & WooCommerce Remote Code Execution

Avada <= 7.11.1 - Authenticated(Contributor+) Arbitrary File Upload via 'ajax_import_options'

CVE-2024-13346 High 7.11.14

CVE-2024-13346 Avada | Website Builder For WordPress & WooCommerce Vulnerability

Avada Theme <= 7.11.13 - Unauthenticated Arbitrary Shortcode Execution

CVE-2024-2344 High 7.11.7

CVE-2024-2344 Avada | Website Builder For WordPress & WooCommerce SQL Injection

Avada <= 7.11.6 - Authenticated (Admin+) SQL Injection via entry

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Avada | Website Builder For WordPress & WooCommerce so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

20 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 8 high severity findings.

Recent CVEs

CVE-2025-64634, CVE-2024-13346 and CVE-2025-24748

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2025-64634 Medium Patch path listed

CVE-2025-64634: Avada <= 7.13.2 - Missing Authorization

The Avada theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 7.13.2. This makes it possible for authen...

Published

Oct 03, 2025

Patch Status

7.13.3

Open CVE-2025-64634 Report

CVE-2024-13346 High Patch path listed

CVE-2024-13346: Avada Theme <= 7.11.13 - Unauthenticated Arbitrary Shortcode Execution

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. This is due to the s...

Published

Feb 12, 2025

Patch Status

7.11.14

Open CVE-2024-13346 Report

CVE-2025-24748 Medium Patch path listed

CVE-2025-24748: Avada <= 7.11.10 - Missing Authorization

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and in...

Published

Jan 24, 2025

Patch Status

7.11.11

Open CVE-2025-24748 Report

Known Vulnerabilities

Reports for Avada | Website Builder For WordPress & WooCommerce

Sorted by latest disclosure date so newly published issues surface first.

Theme Medium Patched: Yes CVE-2025-64634

CVE-2025-64634: Avada <= 7.13.2 - Missing Authorization

The Avada theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 7.13.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized acti...

Published

Oct 03, 2025

Patched Release

7.13.3

Affected Versions

Versions up to 7.13.2

Next Step

Update to 7.13.3 or newer if supported.

Open CVE-2025-64634 Report Open CVE Reference

Theme High Patched: Yes CVE-2024-13346

CVE-2024-13346: Avada Theme <= 7.11.13 - Unauthenticated Arbitrary Shortcode Execution

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before...

Published

Feb 12, 2025

Patched Release

7.11.14

Affected Versions

Versions up to 7.11.13

Next Step

Update to 7.11.14 or newer if supported.

Open CVE-2024-13346 Report Open CVE Reference

Theme Medium Patched: Yes CVE-2025-24748

CVE-2025-24748: Avada <= 7.11.10 - Missing Authorization

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 7.11.10. This makes it possible for unauthenticated attackers to perform an unaut...

Published

Jan 24, 2025

Patched Release

7.11.11

Affected Versions

Versions up to 7.11.10

Next Step

Update to 7.11.11 or newer if supported.

Open CVE-2025-24748 Report Open CVE Reference

Theme Medium Patched: Yes CVE-2024-54357

CVE-2024-54357: Avada <= 7.11.10 - Cross-Site Request Forgery

The Avada theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.11.10. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a fo...

Published

Dec 11, 2024

Patched Release

7.11.11

Affected Versions

Versions up to 7.11.10

Next Step

Update to 7.11.11 or newer if supported.

Open CVE-2024-54357 Report Open CVE Reference

Theme Medium Patched: Yes CVE-2024-2340

CVE-2024-2340: Avada <= 7.11.6 - Unauthenticated Sensitive Information Exposure via Form Uploads Directory Listing

The Avada theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.11.6 via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada c...

Published

Mar 20, 2024

Patched Release

7.11.7

Affected Versions

Versions up to 7.11.6

Next Step

Update to 7.11.7 or newer if supported.

Open CVE-2024-2340 Report Open CVE Reference

Theme Medium Patched: Yes CVE-2024-2343

CVE-2024-2343: Avada <= 7.11.6 - Authenticated (Contributor+) Server-Side Request Forgery via form_to_url_action

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.11.6 via the form_to_url_action function. This makes it possible for authenticated attackers, with contributor-level ac...

Published

Mar 20, 2024

Patched Release

7.11.7

Affected Versions

Versions up to 7.11.6

Next Step

Update to 7.11.7 or newer if supported.

Open CVE-2024-2343 Report Open CVE Reference

Theme Medium Patched: Yes CVE-2024-2311

CVE-2024-2311: Avada <= 7.11.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Avada theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.11.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated att...

Published

Mar 20, 2024

Patched Release

7.11.7

Affected Versions

Versions up to 7.11.6

Next Step

Update to 7.11.7 or newer if supported.

Open CVE-2024-2311 Report Open CVE Reference

Theme High Patched: Yes CVE-2024-2344

CVE-2024-2344: Avada <= 7.11.6 - Authenticated (Admin+) SQL Injection via entry

The Avada theme for WordPress is vulnerable to SQL Injection via the 'entry' parameter in all versions up to, and including, 7.11.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

Published

Mar 20, 2024

Patched Release

7.11.7

Affected Versions

Versions up to 7.11.6

Next Step

Update to 7.11.7 or newer if supported.

Open CVE-2024-2344 Report Open CVE Reference

Theme Medium Patched: Yes CVE-2024-1668

CVE-2024-1668: Avada <= 7.11.5 - Authenticated(Contributor+) Sensitive Information Exposure via Form Entries

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attackers, with contributor access and above, to...

Published

Mar 01, 2024

Patched Release

7.11.6

Affected Versions

Versions up to 7.11.5

Next Step

Update to 7.11.6 or newer if supported.

Open CVE-2024-1668 Report Open CVE Reference

Theme High Patched: Yes CVE-2024-1468

CVE-2024-1468: Avada | Website Builder For WordPress & WooCommerce <= 7.11.4 - Authenticated (Contributor+) Arbitrary File Upload

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated att...

Published

Feb 28, 2024

Patched Release

7.11.5

Affected Versions

Versions up to 7.11.4

Next Step

Update to 7.11.5 or newer if supported.

Open CVE-2024-1468 Report Open CVE Reference

Theme High Patched: Yes CVE-2023-39313

CVE-2023-39313: Avada <= 7.11.1 - Authenticated(Contributor+) Server Side Request Forgery via 'ajax_import_options'

The Avada theme for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 7.11.1 via the 'ajax_import_options' function. This can allow authenticated attackers with contributor privileges to make web requests to arbitrary locations originating f...

Published

Aug 10, 2023

Patched Release

7.11.2

Affected Versions

Versions up to 7.11.1

Next Step

Update to 7.11.2 or newer if supported.

Open CVE-2023-39313 Report Open CVE Reference

Theme High Patched: Yes CVE-2023-39307

CVE-2023-39307: Avada <= 7.11.1 - Authenticated(Contributor+) Arbitrary File Upload via 'ajax_import_options'

The Avada theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_import_options' function in versions up to, and including, 7.11.1. This makes it possible for authenticated attackers with contributor permissions to upload arbi...

Published

Aug 10, 2023

Patched Release

7.11.2

Affected Versions

Versions up to 7.11.1

Next Step

Update to 7.11.2 or newer if supported.

Open CVE-2023-39307 Report Open CVE Reference