CVE-2026-56008 is a high-severity vulnerability in Fusion Builder plugin versions <= 3.15.4. It allows contributors to escalate their privileges. The vulnerability has a CVSS score of 8.8 and is considered HIGH. The CVE was published on 2026-06-26T15:16:41.927Z and last modified on 2026-06-29T16:16:41.930Z. Evidence from Patchstack suggests that the vulnerability exists. However, details about the vendor [truncated]
A critical vulnerability, CVE-2026-54194, has been discovered in Fusion Builder versions up to 3.15.4. This vulnerability allows unauthenticated attackers to inject malicious PHP objects, potentially leading to arbitrary code execution. With a CVSS score of 9.8, this vulnerability is considered critical and requires immediate attention. The vulnerability was published on June 17, 2026, and has since been [truncated]
CVE-2026-6279 describes a critical unauthenticated remote code execution issue in the Avada Builder (fusion-builder) WordPress plugin. The core problem is attacker-controlled data being passed from a base64-decoded JSON blob into call_user_func() without allowlist validation in the wp_conditional_tags path. Because the vulnerable logic is reachable through the non-privileged fusion_get_widget_markup AJAX [truncated]
CVE-2026-1543 is a stored cross-site scripting issue in the Avada (Fusion) Builder plugin for WordPress. According to the supplied source, multiple shortcodes fail to properly sanitize input and escape output in versions up to and including 3.15.2. That allows authenticated users with Subscriber-level access and above to store arbitrary scripts that can execute when another user views a page rendering the [truncated]