CVE-2026-1543
published 2026-05-21CVE-2026-1543: The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including…
PriorityP433medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EPSS
0.34%
25.5th percentile
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user (typically an administrator) accesses a page displaying dynamic user data (such as via the Dynamic Data feature pulling user biographical information).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themefusion | avada_builder | <= 3.15.2 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c7gm-xj5j-p869: The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and includ
ghsa_unreviewed·2026-05-21
CVE-2026-1543 [MEDIUM] CWE-79 GHSA-c7gm-xj5j-p869: The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and includ
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user (typically an administrator) accesses a page displaying dynamic user data (such as via the Dynamic Data feature pulling user biographical information).
VulDB
themefusion Avada Builder Plugin up to 3.15.2 on WordPress Dynamic Data Feature cross site scripting
vuldb·2026-05-21·CVSS 6.4
CVE-2026-1543 [MEDIUM] themefusion Avada Builder Plugin up to 3.15.2 on WordPress Dynamic Data Feature cross site scripting
A vulnerability was found in themefusion Avada Builder Plugin up to 3.15.2 on WordPress and classified as problematic. This issue affects some unknown processing of the component Dynamic Data Feature. Executing a manipulation can lead to cross site scripting.
The identification of this vulnerability is CVE-2026-1543. The attack may be launched remotely. There is no exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-21
Published