Description
Contributor PHP Object Injection in Avada <= 3.15.3 versions.
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP object injection flaw present in versions of the Avada theme up to 3.15.3. Untrusted input can be used to craft a serialized object that, when deserialized by the theme’s code, can lead to arbitrary code execution. The weakness is classified as CWE‑502, allowing an attacker to compromise the confidentiality, integrity, and availability of the entire WordPress installation if exploited.

Affected Systems

WordPress sites that use the ThemeFusion Avada theme version 3.15.3 or earlier are affected. This includes all installations whose theme version string shows 3.15.3 or any lower patchlevel.

Risk and Exploitability

The CVSS base score is 8.8, indicating high severity. The EPSS score of less than 1% suggests a low exploitation probability at present, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the exploitation path requires an attacker to supply malicious serialized data to the theme, most likely via an HTTP request to a WordPress endpoint that processes the theme’s configuration. If such a vector exists, an attacker could gain remote code execution with the privileges of the web server user.

Generated by OpenCVE AI on June 17, 2026 at 19:41 UTC.

Remediation

Vendor Solution

Update the WordPress Avada Theme to the latest available version (at least 3.15.4).


OpenCVE Recommended Actions

  • Update the Avada theme to version 3.15.4 or later.
  • Temporarily disable or remove the theme if an immediate update is not feasible, to block the vulnerable deserialization path.
  • After updating, audit the theme files for remaining unserialize() calls and ensure that any input to these calls is strictly validated or sanitized to prevent future injection attacks.

Generated by OpenCVE AI on June 17, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Theme-fusion
Theme-fusion avada
Wordpress
Wordpress wordpress
Vendors & Products Theme-fusion
Theme-fusion avada
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Contributor PHP Object Injection in Avada <= 3.15.3 versions.
Title WordPress Avada theme <= 3.15.3 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Theme-fusion Avada
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:44:37.897Z

Reserved: 2026-06-15T08:56:12.050Z

Link: CVE-2026-12256

cve-icon Vulnrichment

Updated: 2026-06-17T10:44:32.824Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:45:16Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data