CVE-2026-12256 PUBLISHED

Contributor PHP Object Injection in Avada <= 3.15.3 versions.

Update the WordPress Avada Theme to the latest available version (at least 3.15.4).

• daroo | Patchstack Bug Bounty Program finder

• https://patchstack.com/database/wordpress/theme/avada/vulnerability/wordpress-avada-theme-3-15-3-php-object-injection-vulnerability?_s_id=cve

• CWE-502 Deserialization of Untrusted Data CWE

• CAPEC-586 Object Injection