Fusion Builder
CVE-2023-39311
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Fusion Builder.This issue affects Fusion Builder: from n/a through 3.11.1.
AnalysisAI
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Fusion Builder.11.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Fusion Builder.11.1. Affected products include: Avada Fusion Builder. Version information: through 3.11.1..
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
More in Fusion Builder
View allThe Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms wh
PHP Object Injection in the ThemeFusion Fusion Builder WordPress plugin (versions ≤ 3.15.4) allows authenticated users w
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeFusion Fusion
Arbitrary file deletion in the Fusion Builder WordPress plugin (versions <= 3.15.4) allows authenticated users with Cont
A Reflected Cross-Site Scripting (XSS) vulnerability exists in ThemeFusion Fusion Builder, a WordPress page builder plug
Fusion Builder, a WordPress plugin by ThemeFusion, contains a missing authorization vulnerability (CWE-862) that allows
This vulnerability is a missing authorization flaw in ThemeFusion Fusion Builder that allows unauthenticated attackers t
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today