{"api_version":"1","generated_at":"2026-04-21T13:34:16+00:00","cve":"CVE-2024-1668","urls":{"html":"https://cve.report/CVE-2024-1668","api":"https://cve.report/api/cve/CVE-2024-1668.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-1668","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-1668"},"summary":{"title":"Avada <= 7.11.5 - Authenticated(Contributor+) Sensitive Information Exposure via Form Entries","description":"The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attackers, with contributor access and above, to view the contents of all form submissions, including fields that are obfuscated (such as the contact form's \"password\" field).","state":"PUBLISHED","assigner":"Wordfence","published_at":"2024-03-13 16:15:25","updated_at":"2026-04-08 19:20:49"},"problem_types":["CWE-284","NVD-CWE-noinfo","CWE-284 CWE-284 Improper Access Control"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://gist.github.com/Xib3rR4dAr/91bd37338022b15379f393356d1056a1","name":"https://gist.github.com/Xib3rR4dAr/91bd37338022b15379f393356d1056a1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/cd224169-ae51-4af8-b6de-706ed580ff8d?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/cd224169-ae51-4af8-b6de-706ed580ff8d?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-1668","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1668","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"ThemeFusion","product":"Avada | Website Builder For WordPress & WooCommerce","version":"affected 7.11.5 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2024-03-01T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Muhammad Zeeshan","lang":"en"}],"nvd_cpes":[{"cve_year":"2024","cve_id":"1668","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"theme-fusion","cpe5":"avada","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2024","cve_id":"1668","cve":"CVE-2024-1668","epss":"0.005450000","percentile":"0.678130000","score_date":"2026-04-20","updated_at":"2026-04-21 00:07:51"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-1668","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-03-13T18:15:31.860093Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-07-05T17:22:18.243Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-01T18:48:21.727Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/cd224169-ae51-4af8-b6de-706ed580ff8d?source=cve"},{"tags":["x_transferred"],"url":"https://gist.github.com/Xib3rR4dAr/91bd37338022b15379f393356d1056a1"}],"title":"CVE Program Container"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Avada | Website Builder For WordPress & WooCommerce","vendor":"ThemeFusion","versions":[{"lessThanOrEqual":"7.11.5","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Muhammad Zeeshan"}],"descriptions":[{"lang":"en","value":"The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attackers, with contributor access and above, to view the contents of all form submissions, including fields that are obfuscated (such as the contact form's \"password\" field)."}],"metrics":[{"cvssV3_1":{"baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-284","description":"CWE-284 Improper Access Control","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:23:59.161Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/cd224169-ae51-4af8-b6de-706ed580ff8d?source=cve"},{"url":"https://gist.github.com/Xib3rR4dAr/91bd37338022b15379f393356d1056a1"}],"timeline":[{"lang":"en","time":"2024-03-01T00:00:00.000Z","value":"Disclosed"}],"title":"Avada <= 7.11.5 - Authenticated(Contributor+) Sensitive Information Exposure via Form Entries"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2024-1668","datePublished":"2024-03-13T15:32:40.387Z","dateReserved":"2024-02-20T15:58:34.868Z","dateUpdated":"2026-04-08T17:23:59.161Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-03-13 16:15:25","lastModifiedDate":"2026-04-08 19:20:49","problem_types":["CWE-284","NVD-CWE-noinfo","CWE-284 CWE-284 Improper Access Control"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:theme-fusion:avada:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"7.11.6","matchCriteriaId":"0DBAB261-B343-4EF4-8A9E-3A393ABC7E24"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"1668","Ordinal":"1","Title":"Avada <= 7.11.5 - Authenticated(Contributor+) Sensitive Informat","CVE":"CVE-2024-1668","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"1668","Ordinal":"1","NoteData":"The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attackers, with contributor access and above, to view the contents of all form submissions, including fields that are obfuscated (such as the contact form's \"password\" field).","Type":"Description","Title":"Avada <= 7.11.5 - Authenticated(Contributor+) Sensitive Informat"}]}}}