Description
Missing Authorization vulnerability in ThemeFusion Avada avada allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Avada: from n/a through <= 7.13.2.
Published: 2025-12-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an authorization weakness in ThemeFusion Avada that permits users to invoke protected functions that should be restricted by access control lists. Because the theme fails to enforce proper ACL checks, an attacker may be able to access or modify content, settings, or data that should only be available to privileged users, potentially leading to unauthorized data disclosure or manipulation. The underlying weakness corresponds to CWE-862.

Affected Systems

This issue affects the Avada WordPress theme supplied by ThemeFusion. All installed instances of Avada with version 7.13.2 or earlier are vulnerable, regardless of the WordPress core or other plugins.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that exploitation is currently rare. The vulnerability is not currently identified in the CISA KEV catalog. Based on the description, the likely attack vector involves manipulating authenticated requests to the theme’s administrative interface or sending crafted URLs to trigger the unprotected functionality; however, the exact method is not detailed in the available information and is inferred from typical broken access control scenarios.

Generated by OpenCVE AI on April 29, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Avada theme to the latest revision issued by ThemeFusion (version 7.13.3 or later).
  • Remove or disable the vulnerable theme if a timely upgrade cannot be applied, preventing any exploitation via the theme’s code.
  • Keep WordPress core, plugins, and other themes updated to their latest supported versions to reduce surface area for related security issues.

Generated by OpenCVE AI on April 29, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ThemeFusion Avada avada allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Avada: from n/a through <= 7.13.1. Missing Authorization vulnerability in ThemeFusion Avada avada allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Avada: from n/a through <= 7.13.2.
Title WordPress Avada theme <= 7.13.1 - Broken Access Control vulnerability WordPress Avada theme <= 7.13.2 - Broken Access Control vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 12 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:theme-fusion:avada:*:*:*:*:*:wordpress:*:*

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Theme-fusion
Theme-fusion avada
Wordpress
Wordpress wordpress
Vendors & Products Theme-fusion
Theme-fusion avada
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ThemeFusion Avada avada allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Avada: from n/a through <= 7.13.1.
Title WordPress Avada theme <= 7.13.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Theme-fusion Avada
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:15.281Z

Reserved: 2025-11-06T13:11:11.070Z

Link: CVE-2025-64634

cve-icon Vulnrichment

Updated: 2025-12-18T19:54:54.834Z

cve-icon NVD

Status : Modified

Published: 2025-12-16T09:15:55.737

Modified: 2026-04-27T16:16:42.880

Link: CVE-2025-64634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:15:18Z

Weaknesses