Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of the 'fusion_section_separator' shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability was partially patched in version 3.15.2 and fully patched in version 3.15.3.
AnalysisAI
Arbitrary file read in Avada Builder plugin for WordPress versions up to 3.15.2 allows authenticated attackers with Subscriber-level access to read arbitrary files on the server via the 'fusion_get_svg_from_file' function in the 'fusion_section_separator' shortcode. Sensitive information including configuration files, database credentials, and private keys can be exposed. The vulnerability was partially patched in 3.15.2 and fully patched in version 3.15.3.
Technical ContextAI
The Avada Builder plugin processes the 'custom_svg' parameter within the 'fusion_section_separator' shortcode through the 'fusion_get_svg_from_file' function. This function fails to properly validate or sanitize file path input, allowing path traversal attacks (CWE-36: Path Traversal). The vulnerability exists in the SVG file retrieval mechanism, which is accessible to authenticated users at the Subscriber level and above. The affected component is part of the theme fusion framework's shortcode processing system.
RemediationAI
Immediately upgrade Avada Builder to version 3.15.3 or later, which includes the complete patch. Site administrators should prioritize this update due to the low authentication barrier (Subscriber level). Prior to patching, apply compensating controls: restrict the 'fusion_section_separator' shortcode usage to trusted administrators only by removing Subscriber capability to publish content with this shortcode, and audit file system logs for evidence of unauthorized file access attempts via this function. If immediate patching is impossible, disable the 'fusion_section_separator' shortcode entirely or restrict it to Administrator-only content areas. See Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/86346be9-7ca6-49b7-83b2-01a335d48c94?source=cve for further guidance.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-36 – Absolute Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29933