WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery

WordPress Fusion Builder plugin before 3.6.2 is susceptible to server-side request forgery. The plugin does not validate a parameter in its forms, which can be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. An attacker can...

CVE-2026-32542

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ThemeFusion Fusion Builder fusion-builder allows Reflected XSS.This issue affects Fusion Builder: from n/a through 3.15.0...

CVE-2025-49940 WordPress Fusion Builder plugin <= 3.13.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ThemeFusion Fusion Builder fusion-builder allows DOM-Based XSS.This issue affects Fusion Builder: from n/a through = 3.13.2...

Avada < 7.4.2 - Reflected Cross-Site Scripting

Description The theme does not properly escape bbPress searches before outputting them back as breadcrumbs, leading to a Reflected Cross-Site Scripting issue. https://theme-fusion.com/forums/search/z--FAIL/...

Wordpress Theme Fusion Arbitrary File Download Vulnerability

This exploit allows attacker to download any writable file from the server Usage Info Put the path of the file in the file's field of the exploit ,then click "Download" button then you get the file directly Title : Wordpress Theme Fusion Arbitrary File Download Vulnerability Author : Aloulou Date...