WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery

WordPress Fusion Builder plugin before 3.6.2 is susceptible to server-side request forgery. The plugin does not validate a parameter in its forms, which can be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. An attacker can...

CVE-2026-56008

Contributor Privilege Escalation in Fusion Builder = 3.15.4 versions...

CVE-2026-56008

CVE-2026-56008 affects WordPress Fusion Builder plugin versions

EUVD-2026-39685

Contributor Privilege Escalation in Fusion Builder = 3.15.4 versions...

WordPress Avada (Fusion) Builder plugin <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value vulnerability

Unauthenticated Arbitrary File Deletion via Form Entry Value vulnerability discovered by daroo in WordPress Plugin Fusion Builder versions = 3.15.3...

WordPress Fusion Builder plugin <= 3.15.4 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by daroo in WordPress Plugin Fusion Builder versions = 3.15.4...

EUVD-2026-37715

Contributor Arbitrary File Deletion in Fusion Builder = 3.15.4 versions...

CVE-2026-54193

Contributor Arbitrary File Deletion in Fusion Builder = 3.15.4 versions...

CVE-2026-54194

Contributor PHP Object Injection in Fusion Builder = 3.15.4 versions...

CVE-2026-54193 WordPress Fusion Builder plugin <= 3.15.4 - Arbitrary File Deletion vulnerability

Contributor Arbitrary File Deletion in Fusion Builder = 3.15.4 versions...

PT-2026-50414

Name of the Vulnerable Software and Affected Versions Fusion Builder versions prior to 3.15.5 Description A path traversal issue allows users with the Contributor role to delete arbitrary files on the server. Recommendations Limit user roles as a temporary mitigation measure. At the moment, there...

CVE-2026-54194 WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injection vulnerability

Contributor PHP Object Injection in Fusion Builder = 3.15.4 versions...

CVE-2026-54194

CVE-2026-54194 concerns the WordPress Fusion Builder plugin, affected versions ≤ 3.15.4, with a PHP Object Injection vulnerability identified in the CVE record. The provided information confirms the affected component (Fusion Builder), the vulnerable version range, and the nature of the issue (PH...

PT-2026-50127

Name of the Vulnerable Software and Affected Versions Fusion Builder versions prior to 3.15.5 Description A PHP Object Injection issue exists in the software. This occurs when an application deserializes untrusted data, allowing an attacker to manipulate the objects created and potentially execut...

CVE-2026-1543

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

WordPress Avada (Fusion) Builder plugin <= 3.15.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Fusion Builder versions = 3.15.2...

Exploit for CVE-2026-6279

CVE-2026-6279 Avada Builder = 3.15.2 — Unauthenticated RCE v...

WordPress Avada (Fusion) Builder plugin <= 3.15.2 - Unauthenticated Remote Code Execution vulnerability

Unauthenticated Remote Code Execution vulnerability discovered by ? in WordPress Plugin Fusion Builder versions = 3.15.2...

CVE-2026-1543

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-6279 Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler

The Avada Builder fusion-builder plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the wpconditionaltags case in FusionBuilderConditionalRenderHelper::getvalue passing attacker-controlled...