Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
ThemeFusion

ThemeFusion Vendor Cyber Rating & Cyber Score

avada.com

Creators of Avada, the #1 selling Website Builder for WordPress on Themeforest https://1.envato.market/e4rPJ1


ThemeFusion A.I CyberSecurity Scoring

ThemeFusion
Company Information
Website:https://avada.com/
Employees number:15
Number of followers:488
NAICS:5112
Industry Type:Software Development
Homepage:avada.com
ThemeFusion Risk Score (AI oriented)
Between 700 and 749
logo
ThemeFusionSoftware Development
Updated:
18/05/2026
748/1000
Moderate
Ba
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
ThemeFusion Global Score (TPRM)
xxxx
logo
ThemeFusionSoftware Development
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

ThemeFusion
ThemeFusionModerate
Current Score
748Ba (MODERATE)
01000
1 incidents
-3 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
749Before Incident
JUNE 2026
748Before Incident
MAY 2026
751Before Incident
Vulnerability
13 May 2026ThemeFusion
ThemeFusion: SQL Injection, File Read Vulnerability Affect 1M Avada WordPress Sites

Critical Vulnerabilities in Avada Builder Plugin Expose 1 Million WordPress Sites to Attacks

748After Incident
CRITICAL-3
THE1779092666
Critical Vulnerabilities in Avada Builder Plugin Expose 1 Million WordPress Sites to Attacks On May 13, 2026, cybersecurity firm Wordfence disclosed two severe vulnerabilities in the Avada Builder WordPress plugin, a page builder bundled with the popular Avada theme by ThemeFusion. The flaws, discovered by researcher Rafie Muhammad and reported via Wordfence’s Bug Bounty Program, earned a combined bounty of $4,453. Approximately 1 million active websites are at risk of credential theft, database compromise, and full-site takeover. The most critical flaw, CVE-2026-4798 (CVSS 7.5), is an unauthenticated SQL injection vulnerability affecting all versions of Avada Builder up to 3.15.1. The issue stems from improper sanitization of the `product_order` GET parameter in the plugin’s `post_query()` function, allowing attackers to execute time-based blind SQL injection attacks. Exploitation requires WooCommerce to have been previously installed and deactivated, leaving residual database tables. Successful attacks could extract password hashes and sensitive data by measuring server response delays. The second vulnerability, CVE-2026-4782 (CVSS 6.5), enables arbitrary file read via the `fusion_get_svg_from_file()` function, triggered by the `custom_svg` parameter in the `fusion_section_separator` shortcode. Due to missing file validation and insufficient access controls, authenticated users with Subscriber-level access can read any server file, including wp-config.php, which contains database credentials and cryptographic salts. Attackers could forge admin sessions, create rogue accounts, and deploy backdoors. Wordfence reported the vulnerabilities to ThemeFusion on March 24–25, 2026. A partial patch (3.15.2) addressing the SQL injection flaw was released on April 13, 2026, with the complete fix (3.15.3) arriving on May 12, 2026. Wordfence Premium, Care, and Response users received firewall protection on March 25, 2026, while free users gained coverage 30 days later. Security analysts highlight that Avada Builder’s theme-bundled architecture complicates updates, as users cannot patch the plugin independently of the theme. Administrators are urged to upgrade to version 3.15.3 immediately and audit for unauthorized access or modified files.
INCIDENT DETAILS -
TYPE
SQL InjectionArbitrary File Read
IMPACT
Password hashesDatabase credentialsCryptographic saltsSensitive dataWordPress sites using Avada Builder plugin (up to version 3.15.1)Full-site takeoverUnauthorized accessBackdoor deploymentPersonally identifiable information exposure
DATA BREACH
Password hashesDatabase credentialsCryptographic saltsSensitive dataSensitivity Of Data: Highwp-config.phpSVG filesPersonally Identifiable Information: Possible (via database compromise)
APRIL 2026
751Before Incident
MARCH 2026
751Before Incident
FEBRUARY 2026
751Before Incident
JANUARY 2026
751Before Incident
DECEMBER 2025
751Before Incident
NOVEMBER 2025
751Before Incident
OCTOBER 2025
751Before Incident
SEPTEMBER 2025
751Before Incident
AUGUST 2025
751Before Incident

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for ThemeFusion ?
?
What was ThemeFusion's A.I Rankiteo Cyber Score in June 2026 ?
?
What was ThemeFusion's A.I Rankiteo Cyber Score in May 2026 ?
?
What was ThemeFusion's A.I Rankiteo Cyber Score in April 2026 ?
?
What was ThemeFusion's A.I Rankiteo Cyber Score in March 2026 ?
?
What was ThemeFusion's A.I Rankiteo Cyber Score in February 2026 ?
?
What was ThemeFusion's A.I Rankiteo Cyber Score in January 2026 ?
?
What was ThemeFusion's A.I Rankiteo Cyber Score in December 2025 ?
?
What was ThemeFusion's A.I Rankiteo Cyber Score in November 2025 ?
?
What was ThemeFusion's A.I Rankiteo Cyber Score in October 2025 ?
?
What was ThemeFusion's A.I Rankiteo Cyber Score in September 2025 ?
?
What was ThemeFusion's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on ThemeFusion's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with ThemeFusion ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view ThemeFusion's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?