Description
Missing Authorization vulnerability in ThemeFusion Fusion Builder fusion-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fusion Builder: from n/a through < 3.15.0.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Patch Immediately
AI Analysis

Impact

The CVE-2026-32452 vulnerability is a Missing Authorization flaw in the ThemeFusion Fusion Builder WordPress plugin. It allows an attacker to bypass configured security levels and perform actions that should be restricted to privileged users, such as modifying or deleting content. Because the flaw is a broken access control issue (CWE-862), the main risk is unauthorized access, potentially leading to data exposure or site compromise. The CVSS score of 5.3 reflects a moderate severity scenario.

Affected Systems

The vulnerability affects any installation of the Fusion Builder plugin for WordPress with a version prior to 3.15.0, as indicated by the vendor's product listing. The affected vendor is ThemeFusion, and the product is Fusion Builder. No specific patch version is listed, but the range is from unknown (n/a) until just below 3.15.0. Site administrators should verify the plugin version in use.

Risk and Exploitability

With a CVSS score of 5.3 and an EPSS probability of less than 1%, the likelihood of active exploitation is currently low, and the CVE is not cataloged in the KEV database. Nevertheless, the flaw is inherent to the plugin's access control logic and could be exploited by authenticated users or through local vulnerabilities. The attacker would need to identify a role that can misuse the plugin's interface, but no specific attack vector is defined in the description. Administrators should monitor for new exploits and treat the issue as a moderate risk that warrants patching.

Generated by OpenCVE AI on March 19, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fusion Builder to version 3.15.0 or later.
  • Verify the plugin is updated and no longer vulnerable.
  • If upgrade is not immediately possible, consider disabling the plugin or restricting user roles that could exploit it.
  • Monitor official advisories for updates.

Generated by OpenCVE AI on March 19, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress
Vendors & Products Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ThemeFusion Fusion Builder fusion-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fusion Builder: from n/a through < 3.15.0.
Title WordPress Fusion Builder plugin < 3.15.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Themefusion Fusion Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:19.628Z

Reserved: 2026-03-12T11:11:40.509Z

Link: CVE-2026-32452

cve-icon Vulnrichment

Updated: 2026-03-13T14:29:35.129Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:06.580

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32452

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:13Z

Weaknesses