PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12536 themefusion CVE debrief

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5. This vulnerability is due to insufficient input sanitization and output escaping, making it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue has a medium severity and requires Contributor-level access and above to exploit.

Vendor
themefusion
Product
Avada (Fusion) Builder
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of the Avada (Fusion) Builder plugin for WordPress, particularly those with Contributor-level access and above, should be aware of this vulnerability. Operators of WordPress platforms, security teams, and vulnerability management teams should review the official CVE record and NVD details for affected scope and severity.

Technical summary

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5. This is due to insufficient input sanitization and output escaping, making it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability has a CVSS score of 6.4 and a severity of MEDIUM.

Defensive priority

Medium priority, as the vulnerability requires Contributor-level access and above.

Recommended defensive actions

  • Update the Avada (Fusion) Builder plugin to a version beyond 3.15.5.
  • Restrict access to the plugin's functionality to prevent unauthorized modifications.
  • Monitor for suspicious activity and implement additional security measures to detect potential attacks.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-13T20:16:42.520Z and was last modified on 2026-07-13T20:21:44.960Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD information. Defenders should verify affected product deployments and review official advisories.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T20:16:42.520Z and has not been modified since then. The NVD entry is currently Deferred.