Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in ThemeFusion Avada Core fusion-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Avada Core: from n/a through < 5.15.0.
AnalysisAI
This is a missing authorization vulnerability in ThemeFusion Avada Core (versions prior to 5.15.0) that allows unauthenticated attackers to modify data through incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 with network attack vector and no privilege requirements, meaning any remote attacker can exploit it without authentication. While the integrity impact is limited (data modification rather than disclosure or system compromise), the lack of authentication requirements and network accessibility make this a practical security concern for websites using vulnerable Avada versions.
Technical ContextAI
Avada Core is a WordPress theme framework developed by ThemeFusion that provides core functionality for the Avada theme and related products. This vulnerability is classified under CWE-862 (Missing Authorization), which indicates that the application fails to properly verify that users have appropriate permissions before allowing them to perform sensitive actions. The vulnerability stems from incorrectly configured access control security levels within the fusion-core component, meaning that authorization checks are either missing entirely or improperly implemented for certain endpoints or functionality. This type of flaw typically occurs when developers fail to implement proper role-based access control (RBAC) checks or when authorization logic is bypassed through improper configuration of security directives.
RemediationAI
The primary remediation is to upgrade Avada Core to version 5.15.0 or later immediately. ThemeFusion users should access their ThemeFusion account, navigate to downloads or product management, and update the Avada theme to the patched version. On WordPress, this typically involves Dashboard > Appearance > Themes > Updates or using the WordPress plugin updater for Avada if it is distributed as a plugin. For environments where immediate patching is not possible, implement network-level access controls to restrict which users and systems can modify theme settings and configuration, enforce strong authentication for admin panels using WordPress security hardening practices (two-factor authentication, IP whitelisting), and monitor for suspicious access patterns to theme configuration endpoints. Consider using Web Application Firewall (WAF) rules to block requests to authorization-sensitive endpoints until patches can be deployed. After patching, verify the update was successful by checking the Avada version in the WordPress dashboard or examining plugin/theme version files.
More in Avada Core
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12005