Avada Fusion Builder
CVE-2026-12536
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires a victim to visit the page (UI:R, not UI:N as provided); PR:L reflects mandatory Contributor authentication; S:C captures cross-browser-boundary execution.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Avada (Fusion) Builder WordPress plugin versions up to 3.15.5 allows authenticated contributors to inject persistent malicious scripts via the 'Module Title' parameter, executing in the browsers of any user who views the affected page. This grants attackers the ability to steal session tokens, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold at minimum a Contributor-level authenticated account on the target WordPress installation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, score 6.4) contains a likely error: UI:N is inconsistent with stored XSS mechanics, which inherently require a victim to navigate to the injected page (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers for a WordPress site that allows open user registration and is elevated to Contributor status (or already holds that role). The attacker creates or edits a page using the Avada Fusion Builder, injecting a JavaScript payload such as a cookie-stealing script into a Module Title field. … |
| Remediation | Update the Avada (Fusion) Builder plugin to the version released after 3.15.5 as soon as ThemeFusion publishes a patched release; monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/6199b852-3270-4456-934b-68c3ef11b9e5?source=cve and the official ThemeForest listing for patch announcements. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Avada Fusion Builder
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today