Skip to main content

Avada CVE-2022-41996

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2022-10-27 audit@patchstack.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 27, 2022 - 17:15 nvd
HIGH 8.8

DescriptionNVD

Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation.

AnalysisAI

Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation. Affected products include: Theme-Fusion Avada.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

More in Avada

View all
CVE-2024-2340 MEDIUM POC
5.3 Apr 09

The Avada theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.11

CVE-2022-1386 CRITICAL POC
9.8 May 16

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms wh

CVE-2024-13346 HIGH
7.3 Feb 13

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary shortcode executi

CVE-2024-2344 HIGH POC
7.2 Apr 09

SQL injection in the Avada theme for WordPress (versions up to and including 7.11.6) allows authenticated attackers with

CVE-2024-2311 MEDIUM POC
6.4 Apr 09

The Avada theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions u

CVE-2024-2343 MEDIUM POC
6.4 Apr 09

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Server-Side Request Forgery

CVE-2020-36711 MEDIUM POC
6.4 Jun 07

The Avada theme for WordPress is vulnerable to Stored Cross-Site Scripting via the update_layout function in versions up

CVE-2024-1468 HIGH
8.8 Feb 29

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due

CVE-2026-12256 HIGH
8.8 Jun 16

PHP Object Injection in the ThemeFusion Avada WordPress theme versions 3.15.3 and earlier allows authenticated users wit

CVE-2023-39307 HIGH
8.5 Mar 26

Unrestricted Upload of File with Dangerous Type vulnerability in ThemeFusion Avada.11.1. Rated high severity (CVSS 8.5),

CVE-2023-39313 HIGH
7.7 Mar 28

Server-Side Request Forgery (SSRF) vulnerability in ThemeFusion Avada.11.1. Rated high severity (CVSS 7.7), this vulnera

CVE-2024-1668 MEDIUM
6.5 Mar 13

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Expos

Share

CVE-2022-41996 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy