Fusion Builder
Monthly
Arbitrary file deletion in the Fusion Builder WordPress plugin (versions <= 3.15.4) allows authenticated users with Contributor-level privileges to delete arbitrary files on the underlying server via a path traversal flaw. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
PHP Object Injection in the ThemeFusion Fusion Builder WordPress plugin (versions ≤ 3.15.4) allows authenticated users with Contributor-level access to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can lead to property-oriented programming (POP) chain execution depending on classes loaded in the WordPress runtime, with potential outcomes ranging from arbitrary file operations to remote code execution. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the Contributor prerequisite is low in many multi-author WordPress deployments.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in ThemeFusion Fusion Builder, a WordPress page builder plugin, affecting all versions prior to 3.15.0. An unauthenticated attacker can inject malicious JavaScript into web pages through improper input sanitization, allowing them to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. No CVSS score, EPSS data, or public proof-of-concept have been officially published, but the vulnerability has been documented by Patchstack and assigned EUVD-2026-15919; patch availability is confirmed via the vendor advisory.
This vulnerability is a missing authorization flaw in ThemeFusion Fusion Builder that allows unauthenticated attackers to exploit incorrectly configured access controls to modify content or settings. The issue affects Fusion Builder versions prior to 3.15.0, and the network-accessible nature combined with no authentication requirement means any remote attacker can exploit it without special privileges. While the CVSS score of 5.3 indicates moderate severity with integrity impact but no confidentiality or availability loss, the lack of authentication requirement elevates real-world risk for WordPress sites using affected versions.
Fusion Builder, a WordPress plugin by ThemeFusion, contains a missing authorization vulnerability (CWE-862) that allows authenticated attackers with low privileges to bypass access controls and perform unauthorized actions. Versions prior to 3.15.0 are affected, and attackers can exploit incorrectly configured access control to read, modify, or delete sensitive data. The CVSS 6.3 score reflects moderate severity with network accessibility and low attack complexity, though no public evidence of active KEV inclusion or widespread exploitation has been documented at this time.
Arbitrary file deletion in the Fusion Builder WordPress plugin (versions <= 3.15.4) allows authenticated users with Contributor-level privileges to delete arbitrary files on the underlying server via a path traversal flaw. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
PHP Object Injection in the ThemeFusion Fusion Builder WordPress plugin (versions ≤ 3.15.4) allows authenticated users with Contributor-level access to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can lead to property-oriented programming (POP) chain execution depending on classes loaded in the WordPress runtime, with potential outcomes ranging from arbitrary file operations to remote code execution. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the Contributor prerequisite is low in many multi-author WordPress deployments.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in ThemeFusion Fusion Builder, a WordPress page builder plugin, affecting all versions prior to 3.15.0. An unauthenticated attacker can inject malicious JavaScript into web pages through improper input sanitization, allowing them to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. No CVSS score, EPSS data, or public proof-of-concept have been officially published, but the vulnerability has been documented by Patchstack and assigned EUVD-2026-15919; patch availability is confirmed via the vendor advisory.
This vulnerability is a missing authorization flaw in ThemeFusion Fusion Builder that allows unauthenticated attackers to exploit incorrectly configured access controls to modify content or settings. The issue affects Fusion Builder versions prior to 3.15.0, and the network-accessible nature combined with no authentication requirement means any remote attacker can exploit it without special privileges. While the CVSS score of 5.3 indicates moderate severity with integrity impact but no confidentiality or availability loss, the lack of authentication requirement elevates real-world risk for WordPress sites using affected versions.
Fusion Builder, a WordPress plugin by ThemeFusion, contains a missing authorization vulnerability (CWE-862) that allows authenticated attackers with low privileges to bypass access controls and perform unauthorized actions. Versions prior to 3.15.0 are affected, and attackers can exploit incorrectly configured access control to read, modify, or delete sensitive data. The CVSS 6.3 score reflects moderate severity with network accessibility and low attack complexity, though no public evidence of active KEV inclusion or widespread exploitation has been documented at this time.