Description
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's `fusion_get_post_custom_field()` function failing to validate whether metadata keys are protected (underscore-prefixed). This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract protected post metadata fields that should not be publicly accessible via the Dynamic Data feature's `post_custom_field` parameter.
Published: 2026-04-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Patch
AI Analysis

Impact

The Avada (Fusion) Builder plugin for WordPress has a flaw where the function fusion_get_post_custom_field() does not verify whether metadata keys are protected by an underscore prefix before returning their values. This insecure direct object reference (CWE‑639) allows an authenticated user with Subscriber role or higher to retrieve protected post metadata through the Dynamic Data feature’s post_custom_field parameter. The outcome is the loss of confidentiality for data that should remain private, such as internal notes, API keys, or other sensitive configuration values.

Affected Systems

WordPress sites that have installed the Avada (Fusion) Builder plugin from ThemeFusion and are running any version up to and including 3.15.1. Systems using newer versions are not affected. The vulnerability can only be exploited when the Dynamic Data feature is enabled and the user supplies the post_custom_field parameter.

Risk and Exploitability

The CVSS score of 4.3 indicates a low severity rating. No EPSS score is available, so the likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. An attacker requires valid credentials with at least Subscriber access, so the threat is limited to authenticated users. Nonetheless, because the exposed data is confidential, the risk remains non‑zero for sites that store sensitive information in post metadata and enforce strict confidentiality controls.

Generated by OpenCVE AI on April 15, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Avada (Fusion) Builder to a version newer than 3.15.1 to apply the fixed fusion_get_post_custom_field() logic.
  • If upgrading immediately is not possible, disable the Dynamic Data feature or configure it so that only non‑underscore‑prefixed metadata keys can be retrieved by Subscriber‑level users.
  • Audit existing post metadata, remove or encrypt any sensitive values stored under underscore‑prefixed keys, and modify application logic to prevent their use as confidential data.

Generated by OpenCVE AI on April 15, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress
Vendors & Products Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's `fusion_get_post_custom_field()` function failing to validate whether metadata keys are protected (underscore-prefixed). This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract protected post metadata fields that should not be publicly accessible via the Dynamic Data feature's `post_custom_field` parameter.
Title Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Themefusion Fusion Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-15T15:56:52.964Z

Reserved: 2026-01-28T14:57:30.708Z

Link: CVE-2026-1541

cve-icon Vulnrichment

Updated: 2026-04-15T15:56:44.859Z

cve-icon NVD

Status : Received

Published: 2026-04-15T04:17:33.433

Modified: 2026-04-15T04:17:33.433

Link: CVE-2026-1541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T13:49:14Z

Weaknesses