WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery

WordPress Fusion Builder plugin before 3.6.2 is susceptible to server-side request forgery. The plugin does not validate a parameter in its forms, which can be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. An attacker can...

WordPress Avada (Fusion) Builder plugin <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value vulnerability

Unauthenticated Arbitrary File Deletion via Form Entry Value vulnerability discovered by daroo in WordPress Plugin Fusion Builder versions = 3.15.3...

CVE-2026-54194 WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injection vulnerability

Contributor PHP Object Injection in Fusion Builder = 3.15.4 versions...

WordPress Avada (Fusion) Builder plugin <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference vulnerability

Authenticated Subscriber+ Sensitive Information Exposure via Insecure Direct Object Reference vulnerability discovered by Webbernaut in WordPress Plugin Fusion Builder versions = 3.15.1...

CVE-2026-32542 WordPress Fusion Builder plugin < 3.15.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ThemeFusion Fusion Builder fusion-builder allows Reflected XSS.This issue affects Fusion Builder: from n/a through 3.15.0...

CVE-2026-25472

CVE-2026-25472 is a Stored XSS vulnerability in ThemeFusion Fusion Builder (WordPress plugin)

CVE-2025-49940 WordPress Fusion Builder plugin <= 3.13.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ThemeFusion Fusion Builder fusion-builder allows DOM-Based XSS.This issue affects Fusion Builder: from n/a through = 3.13.2...

WordPress Avada Builder plugin <= 3.11.14 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Fusion Builder versions = 3.11.14...

WordPress Fusion Builder Plugin <= 3.11.9 is vulnerable to Cross Site Scripting (XSS)

Software Fusion Builder Type Plugin Vulnerable versions = 3.11.9 Fixed in 3.11.10 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-5628 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 3ab369f1b5cb Credits wesley wcraft Required...

WordPress Fusion Builder Plugin <= 3.11.1 is vulnerable to Cross Site Request Forgery (CSRF)

Software Fusion Builder Type Plugin Vulnerable versions = 3.11.1 Fixed in 3.11.2 OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-39311 Patch priority Low CVSS severity Low 7.1 Developer Claim ownership PSID 970dca7b1596 Credits Rafie Muhammad...

WordPress Fusion Builder Plugin <= 3.11.1 is vulnerable to SQL Injection

Software Fusion Builder Type Plugin Vulnerable versions = 3.11.1 Fixed in 3.11.2 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2023-39309 Patch priority High CVSS severity High 8.5 Developer Claim ownership PSID cdc92b887506 Credits Rafie Muhammad Patchstack Required privilege...