Skip to main content

Avada Fusion Builder CVE-2026-12536

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Wordfence
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires a victim to visit the page (UI:R, not UI:N as provided); PR:L reflects mandatory Contributor authentication; S:C captures cross-browser-boundary execution.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 20:31 vuln.today
CVE Published
Jul 13, 2026 - 19:33 nvd
MEDIUM 6.4

DescriptionCVE.org

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Avada (Fusion) Builder WordPress plugin versions up to 3.15.5 allows authenticated contributors to inject persistent malicious scripts via the 'Module Title' parameter, executing in the browsers of any user who views the affected page. This grants attackers the ability to steal session tokens, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain Contributor account
Delivery
Inject script into Module Title field
Exploit
Payload persists in WordPress database
Execution
Admin or user visits injected page
Persist
Script executes in victim browser
Impact
Steal session cookie or perform privileged action

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at minimum a Contributor-level authenticated account on the target WordPress installation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, score 6.4) contains a likely error: UI:N is inconsistent with stored XSS mechanics, which inherently require a victim to navigate to the injected page (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers for a WordPress site that allows open user registration and is elevated to Contributor status (or already holds that role). The attacker creates or edits a page using the Avada Fusion Builder, injecting a JavaScript payload such as a cookie-stealing script into a Module Title field. …
Remediation Update the Avada (Fusion) Builder plugin to the version released after 3.15.5 as soon as ThemeFusion publishes a patched release; monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/6199b852-3270-4456-934b-68c3ef11b9e5?source=cve and the official ThemeForest listing for patch announcements. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12536 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy