Description
Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw (CWE-502) in the Fusion Builder WordPress plugin. Attackers can construct malicious serialized PHP objects that, when processed by the plugin, may trigger arbitrary code execution or other destructive behavior, compromising the confidentiality, integrity, and availability of the affected site.

Affected Systems

ThemeFusion Fusion Builder plugin versions up to and including 3.15.4 are affected. All WordPress sites that have this version of the plugin installed are at risk until they upgrade.

Risk and Exploitability

The CVSS score of 9.8 reflects high severity and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, with an attacker able to supply the crafted payload via the plugin’s input handling (e.g., form submissions or API calls).

Generated by OpenCVE AI on June 17, 2026 at 18:45 UTC.

Remediation

Vendor Solution

Update the WordPress Fusion Builder Plugin to the latest available version (at least 3.15.5).

OpenCVE Recommended Actions

  • Upgrade the Fusion Builder plugin to v3.15.5 or later to remove the vulnerable code.
  • If an immediate upgrade is not possible, uninstall or disable the plugin to prevent possible exploitation.
  • Ensure the site’s WordPress installation is counted as an unauthenticated web-facing application and consider blocking or monitoring POST requests to the plugin’s endpoints until an upgrade can be applied.

Generated by OpenCVE AI on June 17, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress
Vendors & Products Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.
Title WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themefusion Fusion Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:54:40.081Z

Reserved: 2026-06-12T09:16:00.860Z

Link: CVE-2026-54194

cve-icon Vulnrichment

Updated: 2026-06-17T10:54:34.494Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T03:45:01Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data