Description
The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of the 'fusion_section_separator' shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability was partially patched in version 3.15.2 and fully patched in version 3.15.3.
Published: 2026-05-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Avada Builder plugin for WordPress has a flaw that allows authenticated users with Subscriber level access or higher to read any file on the server. The vulnerability is triggered by the "custom_svg" parameter of the "fusion_section_separator" shortcode via the internal function "fusion_get_svg_from_file". If an attacker can supply a path, the plugin will return the file contents, exposing potentially sensitive data such as configuration files, credentials, or user data. The weakness is a classic path traversal scenario, matching CWE‑36.

Affected Systems

WordPress sites that have the Avada (Fusion) Builder plugin from ThemeFusion installed, with version 3.15.2 or earlier. All installations employing this plugin and its shortcodes are susceptible; upgrades to version 3.15.3 or later remove the flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity due to confidentiality impact and the requirement for authentication. The EPSS score is not available, and the vulnerability is not in CISA’s KEV catalog, suggesting no known large‑scale exploitation yet. However, since the attack vector requires an authenticated session, any compromised or brute‑forced WordPress credentials elevate risk. An attacker could read arbitrary files, potentially gaining credentials or system information, which could facilitate further lateral movement or code execution if sensitive files are exposed.

Generated by OpenCVE AI on May 13, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Avada Builder to version 3.15.3 or later to eliminate the vulnerability
  • If an upgrade is not immediately possible, restrict permissions on critical files and directories and consider disabling or removing the "fusion_section_separator" shortcode usage until patched
  • Continuously monitor the site for unusual file read activity and keep the WordPress core and all plugins up to date

Generated by OpenCVE AI on May 13, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress
Vendors & Products Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of the 'fusion_section_separator' shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability was partially patched in version 3.15.2 and fully patched in version 3.15.3.
Title Avada Builder <= 3.15.2 - Authenticated (Subscriber+) Arbitrary File Read via 'custom_svg' Shortcode Parameter
Weaknesses CWE-36
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Themefusion Fusion Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-13T10:48:03.557Z

Reserved: 2026-03-24T15:11:57.596Z

Link: CVE-2026-4782

cve-icon Vulnrichment

Updated: 2026-05-13T10:47:44.927Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T13:01:55.633

Modified: 2026-05-13T14:43:46.717

Link: CVE-2026-4782

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses