EUVD-2026-31211

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-1543

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-1543 Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Shortcodes

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-1543 Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Shortcodes

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-1543

CVE-2026-1543 concerns the Avada (Fusion) Builder WordPress plugin. All versions up to and including 3.15.2 are affected by a Stored Cross-Site Scripting (XSS) flaw due to insufficient input sanitization and output escaping. The vulnerability can be exploited by an authenticated attacker with Sub...

EUVD-2026-31209

The Avada Builder fusion-builder plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the wpconditionaltags case in FusionBuilderConditionalRenderHelper::getvalue passing attacker-controlled...

CVE-2026-6279

The Avada Builder fusion-builder plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the wpconditionaltags case in FusionBuilderConditionalRenderHelper::getvalue passing attacker-controlled...

CVE-2026-6279 Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler

The Avada Builder fusion-builder plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the wpconditionaltags case in FusionBuilderConditionalRenderHelper::getvalue passing attacker-controlled...

CVE-2026-6279

The CVE-2026-6279 entry identifies a vulnerability in the Avada Builder (fusion-builder) WordPress plugin up to version 3.15.2. The root cause is a PHP function injection flaw in Fusion_Builder_Conditional_Render_Helper::get_value(), where attacker-controlled data from a base64-decoded JSON blob ...

CVE-2026-6279 Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler

The Avada Builder fusion-builder plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the wpconditionaltags case in FusionBuilderConditionalRenderHelper::getvalue passing attacker-controlled...

PT-2026-42396

Name of the Vulnerable Software and Affected Versions Avada Builder fusion-builder versions prior to 3.15.3 Description The Avada Builder plugin for WordPress allows unauthenticated remote code execution through PHP Function Injection. The issue occurs because the wp conditional tags case within...

PT-2026-42394

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

PT-2026-42460

Name of the Vulnerable Software and Affected Versions Divi Form Builder versions prior to 5.1.3 Description The Divi Form Builder plugin for WordPress allows unauthenticated attackers to create administrator accounts. This occurs because the plugin accepts a user-controlled role parameter from PO...

PT-2026-42688

Name of the Vulnerable Software and Affected Versions Fission versions prior to 1.23.0 Description In pkg/builder/builder.go, the software passes the Environment.spec.builder.command variable directly into the exec.Command function after a strings.Fields split without validating the executable pa...

PT-2026-42603

Summary Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the ModelBuilder/Serve component stores an HMAC signing key in cleartext as a container environment variable,...

WordPress plugin Avada (Fusion) Builder 注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

WordPress plugin Avada (Fusion) Builder 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress plugin Divi Form Builder 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

CVE-2026-45443 WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 5.5.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 5.5.1...

CVE-2026-45443 WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 5.5.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 5.5.1...