Skip to main content

Fusion Builder CVE-2026-54194

| EUVD-2026-37509 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Fusion Builder
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable WordPress endpoint with low attack complexity, but description requires Contributor authentication so PR:L (not PR:N); successful POP chain typically yields full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:24 vuln.today

DescriptionCVE.org

Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.

AnalysisAI

PHP Object Injection in the ThemeFusion Fusion Builder WordPress plugin (versions ≤ 3.15.4) allows authenticated users with Contributor-level access to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can lead to property-oriented programming (POP) chain execution depending on classes loaded in the WordPress runtime, with potential outcomes ranging from arbitrary file operations to remote code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor WordPress account
Delivery
Craft serialized PHP object with POP gadget
Exploit
Submit payload to vulnerable Fusion Builder endpoint
Execution
Plugin unserializes attacker object
Persist
Magic method triggers file write or command execution
Impact
Drop webshell and escalate to full site takeover
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated WordPress account with at least Contributor role on a site running Fusion Builder ≤ 3.15.4 (despite the input CVSS vector listing PR:N, the description explicitly says 'Contributor'). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H = 9.8) conflicts with the description, which explicitly scopes the bug to Contributor-level users; PR:N is therefore almost certainly wrong and the realistic base score is closer to High (~8.x) with PR:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a Contributor account on a WordPress site running Fusion Builder ≤ 3.15.4, then submits a crafted request to a vulnerable plugin endpoint containing a serialized PHP object payload chained through a POP gadget available in the loaded codebase. The plugin deserializes the payload, instantiating attacker-controlled objects that, via __wakeup/__destruct or similar magic methods, lead to file writes or command execution under the web-server user, giving the attacker a foothold to drop a webshell and pivot to full site takeover.
Remediation No vendor-released patch identified at time of analysis in the provided data - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/fusion-builder/vulnerability/wordpress-fusion-builder-plugin-3-15-4-php-object-injection-vulnerability) and the ThemeFusion changelog for a version newer than 3.15.4 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running Fusion Builder ≤3.15.4 and audit current Contributor-level account assignments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-54194 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy