What is the CVSS score of CVE-2024-2344?

CVE-2024-2344 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 1.1%.

Which versions of Avada Theme are affected by CVE-2024-2344?

The Avada WordPress theme (versions through 7.11.6) contains a SQL injection vulnerability that allows attackers with editor-level access to extract sensitive database contents.

Is there a public PoC exploit available for CVE-2024-2344?

Yes, a public proof-of-concept exploit is available for CVE-2024-2344. Prioritise patching immediately. EPSS: 1.1%.

How to fix or mitigate CVE-2024-2344?

Within 24 hours: Inventory all WordPress installations using Avada theme and verify current version; audit and document all accounts with editor-level or higher privileges. Within 7 days: Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts; restrict editor-level access to only essential personnel with Multi-Factor Authentication required. Within 30 days: Monitor Avada vendor (ThemeFusion) security advisories for patch release; plan remediation (upgrade or plugin replacement); conduct database access logs review for signs of exploitation.

Avada Theme CVE-2024-2344

HIGH

SQL Injection (CWE-89)

2024-04-09 security@wordfence.com

SQLi WordPress Avada

7.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

PoC Detected

Apr 08, 2026 - 19:21 vuln.today

Public exploit code

CVE Published

Apr 09, 2024 - 19:15 nvd

HIGH 7.2

DescriptionCVE.org

The Avada theme for WordPress is vulnerable to SQL Injection via the 'entry' parameter in all versions up to, and including, 7.11.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticted attackers, with editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

SQL injection in the Avada theme for WordPress (versions up to and including 7.11.6) allows authenticated attackers with editor-level privileges or above to append arbitrary SQL queries via the 'entry' parameter and extract sensitive database contents. Publicly available exploit code exists, though EPSS places exploitation probability at 1.11% (78th percentile), indicating moderate but not widespread automated targeting. The flaw stems from insufficient input escaping and unprepared SQL statements in a widely-deployed commercial WordPress theme.

Technical ContextAI

Avada (by ThemeFusion, CPE cpe:2.3:a:theme-fusion:avada) is one of the most widely-sold premium WordPress themes, deployed on hundreds of thousands of sites. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), where the 'entry' parameter is concatenated into a SQL query without being escaped through wpdb->prepare() or sanitized via esc_sql(). Because the vulnerable code path is reachable from theme functionality available to editor and higher roles, the attacker can use UNION-based or stacked-query techniques (depending on the underlying query structure) to exfiltrate rows from any table the WordPress DB user can read - typically including wp_users (password hashes) and wp_options (auth keys, API secrets).

RemediationAI

Upgrade Avada to a version newer than 7.11.6 as released by ThemeFusion; consult the Wordfence advisory (wordfence.com/threat-intel) and the ThemeFusion changelog for the exact fixed release. If immediate patching is not possible, audit and tighten editor-and-above account access by enforcing strong unique passwords, mandatory MFA via a plugin such as Wordfence or miniOrange, and reviewing the wp_users table for unexpected accounts - this directly removes the PR:H prerequisite for exploitation. As a compensating control, place a WAF rule (Wordfence, Sucuri, or Cloudflare managed rules for WordPress SQLi) in front of admin-area endpoints to inspect the 'entry' parameter for SQL metacharacters; note this can produce false positives on legitimate editor content that contains quotes or SQL keywords. Restricting wp-admin access by IP allowlist is another option but breaks remote editor workflows.

More from same product – last 7 days

CVE-2026-12256 HIGH This Week

8.8 Jun 16

PHP Object Injection in the ThemeFusion Avada WordPress theme versions 3.15.3 and earlier allows authenticated users wit

CVE-2024-2344 vulnerability details – vuln.today

Back

Avada Theme CVE-2024-2344

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code