Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Fusion Builder fusion-builder allows Reflected XSS.This issue affects Fusion Builder: from n/a through < 3.15.0.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The Fusion Builder plugin for WordPress contains an improper neutralization of input during web page generation that allows reflected cross‑site scripting. This defect enables an attacker to inject malicious JavaScript which the browser will execute in the context of a vulnerable site, potentially leading to session hijacking, credential theft, or defacement. The weakness is classified as CWE‑79.

Affected Systems

The vulnerability affects all installations of the ThemeFusion Fusion Builder plugin that are running any version earlier than 3.15.0; no higher‑version information is provided.

Risk and Exploitability

The CVSS score of 7.1 signals a moderate severity flaw. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be public internet access, as an attacker can craft a malicious URL or input that reflects attacker-supplied content back to the browser; no special privileges or authentication are required for exploitation.

Generated by OpenCVE AI on March 25, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Fusion Builder plugin to version 3.15.0 or later
  • If an update cannot be applied immediately, temporarily disable the plugin until the patch is released
  • Review and enforce a strict Content Security Policy to reduce the risk of script execution
  • Monitor site traffic for unusual or suspicious activity

Generated by OpenCVE AI on March 25, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress
Vendors & Products Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Fusion Builder fusion-builder allows Reflected XSS.This issue affects Fusion Builder: from n/a through < 3.15.0.
Title WordPress Fusion Builder plugin < 3.15.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Themefusion Fusion Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:07:56.369Z

Reserved: 2026-03-12T11:12:34.193Z

Link: CVE-2026-32542

cve-icon Vulnrichment

Updated: 2026-03-25T20:02:13.052Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:17:08.120

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:12Z

Weaknesses