Description
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user (typically an administrator) accesses a page displaying dynamic user data (such as via the Dynamic Data feature pulling user biographical information).
Published: 2026-05-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw permits authenticated users with Subscriber or higher privileges to inject executable JavaScript into the content of shortcodes that are stored by the Avada (Fusion) Builder plugin. When a page that renders that content is viewed, the malicious script runs in the context of the browser, allowing an attacker to steal session cookies, deface the site, or perform actions on behalf of the victim. The vulnerability represents a classic stored cross‑site scripting flaw (CWE‑79) that damages confidentiality, integrity, and potentially the availability of the web application by compromising the security of all viewers of affected pages.

Affected Systems

All installations of the Avada (Fusion) Builder WordPress plugin with a version number of 3.15.2 or earlier are affected, regardless of the theme or WordPress core version. The problem originates from inadequate sanitization of shortcode parameters and lack of output escaping within the plugin’s handling of dynamic user data. Site administrators who run these vulnerable plugin versions must therefore consider themselves at risk.

Risk and Exploitability

The CVSS v3.1 score of 6.4 reflects a moderate severity level and indicates that the vulnerability is exploitable with authenticated access. No EPSS score is available, so the exact likelihood of exploitation cannot be quantified, but the absence of an EPSS value does not diminish the risk. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by modifying the content of pages that use a shortcode to display user biographical information; when those pages are subsequently viewed, the malicious code is executed. Because any administrator or user with editing rights can introduce the payload, the attack vector is primarily a trusted‑user code‑injection scenario.

Generated by OpenCVE AI on May 21, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Avada (Fusion) Builder to a version newer than 3.15.2 once the vendor confirms the fix in the changelog or releases a patch. That version removes the unsanitized handling of shortcode parameters and ensures proper escaping of user data.
  • If an immediate upgrade is not possible, proactively remove or neutralize all dynamic data shortcodes from pages until the plugin is updated. This prevents any stored scripts from being rendered to users.
  • Implement a site‑wide content sanitization rule or a security plugin that filters JavaScript from user‑submitted text fields, particularly the user biographical fields, to mitigate the risk of re‑injection if an attacker can still edit page content.

Generated by OpenCVE AI on May 21, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress
Vendors & Products Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress

Thu, 21 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user (typically an administrator) accesses a page displaying dynamic user data (such as via the Dynamic Data feature pulling user biographical information).
Title Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Shortcodes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Themefusion Fusion Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-21T12:08:39.173Z

Reserved: 2026-01-28T15:09:53.304Z

Link: CVE-2026-1543

cve-icon Vulnrichment

Updated: 2026-05-21T12:08:35.842Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T05:16:22.257

Modified: 2026-05-21T15:19:30.540

Link: CVE-2026-1543

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:00:05Z

Weaknesses