Skip to main content

Fusion Builder CVE-2026-32451

| EUVD-2026-12001 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
Authentication Bypass Fusion Builder
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
CVSS changed
Apr 29, 2026 - 10:22 NVD
6.3 (MEDIUM) 6.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
3.15.0
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-12001
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 6.3

DescriptionCVE.org

Missing Authorization vulnerability in ThemeFusion Fusion Builder fusion-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fusion Builder: from n/a through < 3.15.0.

AnalysisAI

Fusion Builder, a WordPress plugin by ThemeFusion, contains a missing authorization vulnerability (CWE-862) that allows authenticated attackers with low privileges to bypass access controls and perform unauthorized actions. Versions prior to 3.15.0 are affected, and attackers can exploit incorrectly configured access control to read, modify, or delete sensitive data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS 6.3 score indicates moderate severity with a network attack vector, low attack complexity, and a requirement for low privileges (authenticated user). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege WordPress account (such as a subscriber or contributor with plugin access) can directly call a Fusion Builder REST endpoint or AJAX action without proper authorization checks. By crafting a request to modify page builder elements, site settings, or content on pages they should not have access to, the attacker reads sensitive configuration data (GDPR-regulated information stored in post meta) and modifies high-traffic pages to inject malicious content or SEO spam. …
Remediation Immediately upgrade Fusion Builder to version 3.15.0 or later, which patches the authorization vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-54194 CRITICAL
9.8 Jun 16

PHP Object Injection in the ThemeFusion Fusion Builder WordPress plugin (versions ≤ 3.15.4) allows authenticated users w
CVE-2026-54193 HIGH
7.7 Jun 17

Arbitrary file deletion in the Fusion Builder WordPress plugin (versions <= 3.15.4) allows authenticated users with Cont

Share

CVE-2026-32451 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy