What is the CVSS score of CVE-2026-32542?

CVE-2026-32542 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Fusion Builder are affected by CVE-2026-32542?

ThemeFusion Fusion Builder WordPress plugin versions prior to 3.15.0 contain a reflected XSS vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages,…. A patch is available.

How to fix or mitigate CVE-2026-32542?

Within 24 hours: Inventory all WordPress installations using Fusion Builder and document current versions. Within 7 days: Update Fusion Builder to version 3.15.0 or later across all affected WordPress sites; verify updates completed via plugin management dashboard. Within 30 days: Conduct security audit of WordPress environment; review web application firewall (WAF) logs for XSS attack patterns; implement input validation and output encoding best practices site-wide.

Fusion Builder CVE-2026-32542

EUVD-2026-15919 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-03-25 Patchstack

XSS Fusion Builder

7.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Re-analysis Queued

Apr 24, 2026 - 16:37 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 06:14 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.15.0

EUVD ID Assigned

Mar 25, 2026 - 16:47 euvd

EUVD-2026-15919

Analysis Generated

Mar 25, 2026 - 16:47 vuln.today

CVE Published

Mar 25, 2026 - 16:15 nvd

HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Fusion Builder fusion-builder allows Reflected XSS.This issue affects Fusion Builder: from n/a through < 3.15.0.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in ThemeFusion Fusion Builder, a WordPress page builder plugin, affecting all versions prior to 3.15.0. An unauthenticated attacker can inject malicious JavaScript into web pages through improper input sanitization, allowing them to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious URL with XSS payload

Delivery

User clicks link in email or browser

Exploit

Payload injected into Fusion Builder page

Execution

JavaScript executes in victim's browser

Impact

Steal session cookies or credentials