Skip to main content

Avada Fusion Builder

2 CVEs product

Monthly

CVE-2026-12536 MEDIUM This Month

Stored Cross-Site Scripting in the Avada (Fusion) Builder WordPress plugin versions up to 3.15.5 allows authenticated contributors to inject persistent malicious scripts via the 'Module Title' parameter, executing in the browsers of any user who views the affected page. This grants attackers the ability to steal session tokens, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. No public exploit or CISA KEV listing has been identified at time of analysis, though the Contributor-level entry bar makes this accessible to a broad attacker pool on sites with open registration.

XSS WordPress Avada Fusion Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-8713 CRITICAL Act Now

Arbitrary file deletion in the Avada (Fusion) Builder WordPress plugin through version 3.15.3 allows remote unauthenticated attackers to delete any file on the server via path traversal in the maybe_delete_files function, which commonly escalates to remote code execution when wp-config.php is removed and WordPress enters setup mode. Wordfence reports the flaw is reachable through the wp_ajax_nopriv_fusion_form_submit_ajax handler on sites that have a published Avada form saving entries to the database. No public exploit identified at time of analysis, but the CVSS 9.1 score reflects trivial network exploitation with no authentication or user interaction.

Path Traversal PHP WordPress RCE Avada Fusion Builder
NVD
CVSS 3.1
9.1
EPSS
1.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Avada (Fusion) Builder WordPress plugin versions up to 3.15.5 allows authenticated contributors to inject persistent malicious scripts via the 'Module Title' parameter, executing in the browsers of any user who views the affected page. This grants attackers the ability to steal session tokens, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. No public exploit or CISA KEV listing has been identified at time of analysis, though the Contributor-level entry bar makes this accessible to a broad attacker pool on sites with open registration.

XSS WordPress Avada Fusion Builder
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the Avada (Fusion) Builder WordPress plugin through version 3.15.3 allows remote unauthenticated attackers to delete any file on the server via path traversal in the maybe_delete_files function, which commonly escalates to remote code execution when wp-config.php is removed and WordPress enters setup mode. Wordfence reports the flaw is reachable through the wp_ajax_nopriv_fusion_form_submit_ajax handler on sites that have a published Avada form saving entries to the database. No public exploit identified at time of analysis, but the CVSS 9.1 score reflects trivial network exploitation with no authentication or user interaction.

Path Traversal PHP WordPress +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy