Fusion Builder
CVE-2026-54193
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Remote contributor-authenticated request (AV:N, AC:L, PR:L, UI:N) deletes files outside the plugin (S:C); only availability is directly impacted (C:N/I:N/A:H).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Contributor Arbitrary File Deletion in Fusion Builder <= 3.15.4 versions.
AnalysisAI
Arbitrary file deletion in the Fusion Builder WordPress plugin (versions <= 3.15.4) allows authenticated users with Contributor-level privileges to delete arbitrary files on the underlying server via a path traversal flaw. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with at least Contributor role on a site running Fusion Builder version 3.15.4 or earlier, and network reachability to the WordPress admin/AJAX surface where the vulnerable file-handling action lives; no user interaction from another user is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) reflects a network-reachable, low-complexity flaw requiring only Contributor-level credentials, with a scope change because the deleted files affect resources beyond the vulnerable plugin (e.g., core WordPress files), and a High availability impact via destructive deletion. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers (or compromises) a Contributor account on a WordPress site running Fusion Builder <= 3.15.4, then sends an authenticated request to a Fusion Builder file-handling endpoint with a path-traversal payload pointing at wp-config.php. With the file deleted, the next visit to the site triggers the WordPress setup wizard, allowing the attacker to point WordPress at an attacker-controlled database and gain full administrator access. … |
| Remediation | Upgrade the Fusion Builder plugin to a version newer than 3.15.4 once ThemeFusion publishes a fixed release; refer to the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/fusion-builder/vulnerability/wordpress-fusion-builder-plugin-3-15-4-arbitrary-file-deletion-vulnerability for the patched version and vendor changelog. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Contributor-level and higher user accounts in affected WordPress installations; remove or downgrade any unnecessary Contributor accounts; implement file integrity monitoring on wp-config.php and wp-settings.php. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Share
External POC / Exploit Code
Leaving vuln.today