{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-58922", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-09-06T04:44:19.611Z", "datePublished": "2026-04-22T15:44:47.623Z", "dateUpdated": "2026-04-28T16:13:49.641Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Avada", "vendor": "ThemeFusion", "versions": [{"changes": [{"at": "7.13.2", "status": "unaffected"}], "lessThan": "7.13.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada allows Cross Site Request Forgery.<p>This issue affects Avada: from n/a before 7.13.2.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada allows Cross Site Request Forgery.This issue affects Avada: from n/a before 7.13.2."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:13:49.641Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/wordpress/theme/avada/vulnerability/wordpress-avada-theme-7-13-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update the WordPress Avada theme to the latest available version (at least 7.13.2)."}], "value": "Update the WordPress Avada theme to the latest available version (at least 7.13.2)."}], "source": {"discovery": "EXTERNAL"}, "tags": ["x_open-source"], "title": "WordPress Avada theme < 7.13.2 - Cross Site Request Forgery (CSRF) vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:19:03.794807Z", "id": "CVE-2025-58922", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:19:25.055Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-58922", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:19:03.794807Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:19:12.931Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress Avada theme < 7.13.2 - Cross Site Request Forgery (CSRF) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeFusion", "product": "Avada", "versions": [{"status": "affected", "changes": [{"at": "7.13.2", "status": "unaffected"}], "version": "n/a", "lessThan": "7.13.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Avada theme to the latest available version (at least 7.13.2).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Avada theme to the latest available version (at least 7.13.2).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/avada/vulnerability/wordpress-avada-theme-7-13-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada allows Cross Site Request Forgery.This issue affects Avada: from n/a before 7.13.2.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada allows Cross Site Request Forgery.<p>This issue affects Avada: from n/a before 7.13.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:13:49.641Z"}}}, "cveMetadata": {"cveId": "CVE-2025-58922", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:13:49.641Z", "dateReserved": "2025-09-06T04:44:19.611Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-22T15:44:47.623Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada allows Cross Site Request Forgery.This issue affects Avada: from n/a before 7.13.2."}], "id": "CVE-2025-58922", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-22T16:16:51.963", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/theme/avada/vulnerability/wordpress-avada-theme-7-13-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.13.2)"}}], "enrichment": {"confidence": 97.0, "confidence_source": "matching", "scores": [{"score": 97.0, "source": "matching"}]}, "original": {"product": "Avada", "source": "cna", "vendor": "ThemeFusion"}, "product": "avada", "vendor": "theme-fusion"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T15:22:33.205792+00:00", "value": {"mitigation_remediation": ["Update the Avada theme to version\u202f7.13.2 or newer, as recommended by ThemeFusion.", "After applying the update, ensure that the site\u2019s cache is cleared and that any administrative interface no longer accepts cross\u2011site requests without proper tokens.", "Restrict access to theme configuration settings to administrator roles only, reducing the potential impact if an unfixed site is accessed."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Avada theme from ThemeFusion, specifically any version earlier than\u202f7.13.2.", "description_and_impact": "The vulnerability is a Cross\u2011Site Request Forgery flaw that allows an attacker to submit requests on behalf of a logged\u2011in WordPress user. By exploiting improper verification of request authenticity, a malicious actor may trigger actions that the user performed, potentially altering site settings or other data. The weakness is identified as CWE\u2011352 and carries a CVSS score of 4.3, indicating moderate severity. Based on the description, it is inferred that the flaw causes the request to be processed without proper CSRF token validation.", "risk_and_exploitability": "The CVSS score reflects a moderate risk, and the EPSS score of\u202f<\u202f1% indicates a very low but nonzero probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that attackers would need to trick an authenticated user into visiting a crafted link or submitting a malicious form\u2014a vector that relies on user interaction and, therefore, may be limited in scope. Nonetheless, once compromised, the attacker can perform unauthorized actions on the site."}}}}, "created": "2026-04-27T20:15:12.111017+00:00", "updated": "2026-04-28T15:30:34.818842+00:00", "vendors": ["theme-fusion", "theme-fusion$PRODUCT$avada", "wordpress", "wordpress$PRODUCT$wordpress"]}