Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Avada Core fusion-core allows DOM-Based XSS.This issue affects Avada Core: from n/a through < 5.15.0.
Published: 2026-03-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). It allows DOM‑Based XSS in the ThemeFusion Avada Core "fusion‑core" plugin. When an attacker supplies crafted input that is reflected into the page, malicious client‑side script can be executed in the victim’s browser, enabling actions such as cookie theft, defacement, or phishing. The weakness is identified as CWE‑79.

Affected Systems

The affected product is the WordPress Avada Core plugin developed by ThemeFusion. Versions from the earliest released build through any release older than 5.15.0 are vulnerable. Any WordPress site that has Avada Core installed with a version number less than 5.15.0 is at risk.

Risk and Exploitability

The CVSS score is 6.5, which denotes medium severity. The EPSS score is reported as less than 1 %, indicating a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The exploit requires that the attacker supply input that is rendered in the DOM; while the exact attack vector is not formally documented, it is inferred that user‑controllable fields or URL parameters in the WordPress admin or front‑end interface could be used to inject the malicious payload.

Generated by OpenCVE AI on March 19, 2026 at 15:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Avada Core plugin to version 5.15.0 or later; this version contains the fix for the DOM‑Based XSS.

Generated by OpenCVE AI on March 19, 2026 at 15:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Theme-fusion
Theme-fusion avada
Wordpress
Wordpress wordpress
Vendors & Products Theme-fusion
Theme-fusion avada
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Avada Core fusion-core allows DOM-Based XSS.This issue affects Avada Core: from n/a through < 5.15.0.
Title WordPress Avada Core plugin < 5.15.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Theme-fusion Avada
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:20.096Z

Reserved: 2026-03-12T11:11:40.510Z

Link: CVE-2026-32454

cve-icon Vulnrichment

Updated: 2026-03-13T14:24:38.561Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:07.177

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:11Z

Weaknesses