PatchSiren cyber security CVE debrief
CVE-2026-12536 themefusion CVE debrief
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5. This vulnerability is due to insufficient input sanitization and output escaping, making it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue has a medium severity and requires Contributor-level access and above to exploit.
- Vendor
- themefusion
- Product
- Avada (Fusion) Builder
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of the Avada (Fusion) Builder plugin for WordPress, particularly those with Contributor-level access and above, should be aware of this vulnerability. Operators of WordPress platforms, security teams, and vulnerability management teams should review the official CVE record and NVD details for affected scope and severity.
Technical summary
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5. This is due to insufficient input sanitization and output escaping, making it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability has a CVSS score of 6.4 and a severity of MEDIUM.
Defensive priority
Medium priority, as the vulnerability requires Contributor-level access and above.
Recommended defensive actions
- Update the Avada (Fusion) Builder plugin to a version beyond 3.15.5.
- Restrict access to the plugin's functionality to prevent unauthorized modifications.
- Monitor for suspicious activity and implement additional security measures to detect potential attacks.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-13T20:16:42.520Z and was last modified on 2026-07-13T20:21:44.960Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD information. Defenders should verify affected product deployments and review official advisories.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T20:16:42.520Z and has not been modified since then. The NVD entry is currently Deferred.