EUVD-2026-22822

🗓️ 22 Apr 2026 21:31:43Reported by EUVDType

Avada WordPress plugin exposes protected metadata to subscribers via post_custom_field up to version 3.15.1.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-1541	15 Apr 202601:25	–	attackerkb
Circl	CVE-2026-1541	15 Apr 202604:39	–	circl
CNNVD	WordPress plugin Avada (Fusion) Builder 安全漏洞	15 Apr 202600:00	–	cnnvd
CVE	CVE-2026-1541	15 Apr 202601:25	–	cve
Cvelist	CVE-2026-1541 Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference	15 Apr 202601:25	–	cvelist
NVD	CVE-2026-1541	15 Apr 202604:17	–	nvd
Patchstack	WordPress Avada (Fusion) Builder plugin <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference vulnerability	15 Apr 202603:41	–	patchstack
Positive Technologies	PT-2026-32995	15 Apr 202600:00	–	ptsecurity
Vulnrichment	CVE-2026-1541 Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference	15 Apr 202601:25	–	vulnrichment

[
  {
    "enisaIdVendor": [
      {
        "id": "6b48f707-09fb-3d89-b8d0-d60d860a7675",
        "vendor": {
          "name": "ThemeFusion"
        }
      },
      {
        "id": "ac6adf6c-1321-31f9-95be-276680eb855b",
        "vendor": {
          "name": "ThemeFusion"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "668fcfa9-8612-3134-83ed-30817c6c5f19",
        "product": {
          "name": "Avada (Fusion) Builder"
        },
        "product_version": "0 ≤3.15.1"
      }
    ]
  }
]

Source	Link
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/f1f69f93-80e3-434d-98a6-fc8757b4e6d1
themeforest	www.themeforest.net/item/avada-responsive-multipurpose-theme/2833226
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-1541

22 Apr 2026 21:31Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.14.3

EPSS0.00011

SSVC