PatchSiren cyber security CVE debrief
CVE-2026-1543 themefusion CVE debrief
CVE-2026-1543 is a stored cross-site scripting issue in the Avada (Fusion) Builder plugin for WordPress. According to the supplied source, multiple shortcodes fail to properly sanitize input and escape output in versions up to and including 3.15.2. That allows authenticated users with Subscriber-level access and above to store arbitrary scripts that can execute when another user views a page rendering the affected dynamic data.
- Vendor
- themefusion
- Product
- Avada (Fusion) Builder
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
WordPress site owners, administrators, and security teams running Avada (Fusion) Builder versions 3.15.2 and earlier, especially sites that use Dynamic Data or display user biographical information through shortcodes.
Technical summary
The issue is a CWE-79 stored XSS in shortcode handling. The vulnerable code path allows untrusted shortcode content to be saved and later rendered without sufficient sanitization/escaping. The supplied description highlights the Dynamic Data feature as a practical trigger, where stored script content can execute in the browser of a user viewing a page that pulls user-biographical data. The NVD data provided lists CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, which aligns with an authenticated, network-reachable impact on confidentiality and integrity.
Defensive priority
Medium. The score is moderate, but stored XSS in an admin-facing workflow can have outsized impact because malicious content may execute in a privileged user’s browser when affected pages are viewed.
Recommended defensive actions
- Upgrade Avada (Fusion) Builder to a version newer than 3.15.2 if available from the vendor.
- Review any use of shortcodes and Dynamic Data that render user-provided fields, especially biographical or profile content.
- Audit existing page and shortcode content for unexpected script, HTML, or event-handler payloads.
- Restrict untrusted roles and review whether Subscriber-level users should be allowed to create or edit content that reaches affected shortcode paths.
- Monitor for suspicious post/page edits and unexpected changes in rendered frontend content.
- Validate any vendor guidance or changelog notes associated with the affected release line before and after upgrading.
Evidence notes
The supplied corpus identifies the issue as an authenticated stored XSS in the Avada (Fusion) Builder plugin for WordPress, affecting versions up to and including 3.15.2. The provided NVD metadata lists CWE-79 and CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N with vuln status "Received." Reference links supplied in the corpus point to the Avada changelog, the ThemeForest product page, and a Wordfence vulnerability advisory. Vendor attribution in the source corpus is low confidence and should be reviewed.
Official resources
Published in the supplied CVE/NVD data on 2026-05-21T05:16:22.257Z. No CISA KEV entry was provided in the source corpus.