Description
Missing Authorization vulnerability in ThemeFusion Avada Core fusion-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Avada Core: from n/a through < 5.15.0.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control – Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

Key detail from CVE description: ThemeFusion Avada Core fusion‑core contains a missing authorization vulnerability that allows exploitation of incorrectly configured access control security levels. The flaw permits unauthenticated or improperly authorized users to perform privileged actions, potentially enabling view, modification, or deletion of content and settings that should be restricted to administrators.

Affected Systems

Affected systems: The vulnerability targets ThemeFusion’s Avada Core plugin. The affected package range is from the first released version through any release prior to v5.15.0. Thus, any WordPress installation running Avada Core earlier than 5.15.0 is susceptible.

Risk and Exploitability

Risk and exploitability: The CVSS v3.1 score of 5.3 indicates moderate severity. The EPSS score is less than 1%, suggesting a low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The record does not disclose any publicly available exploits or special prerequisites. Based on the nature of the flaw, the attack vector is likely remote and involves crafting HTTP requests to the plugin’s administrative endpoints, a scenario that is inferred from the plugin’s role as a WordPress component.

Generated by OpenCVE AI on March 19, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Avada Core to version 5.15.0 or later to remove the missing authorization flaw.
  • If an upgrade is not immediately possible, restrict access to the plugin’s administrative URLs by configuring your web server or firewall to allow requests only from trusted IP addresses or by requiring authentication, thereby limiting exposure.
  • Verify that the installed plugin version matches the latest release by checking the WordPress plugin repository or the vendor’s site.
  • Monitor WordPress logs for unexpected access attempts to the plugin’s admin area and block offending IP addresses to mitigate potential attacks.

Generated by OpenCVE AI on March 19, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Theme-fusion
Theme-fusion avada
Wordpress
Wordpress wordpress
Vendors & Products Theme-fusion
Theme-fusion avada
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ThemeFusion Avada Core fusion-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Avada Core: from n/a through < 5.15.0.
Title WordPress Avada Core plugin < 5.15.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Theme-fusion Avada
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:19.797Z

Reserved: 2026-03-12T11:11:40.509Z

Link: CVE-2026-32453

cve-icon Vulnrichment

Updated: 2026-03-13T18:46:47.821Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:06.883

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:12Z

Weaknesses