Themefusion Fusion Builder

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Themefusion Fusion Builder.

By the Year

In 2026 there have been 8 vulnerabilities in Themefusion Fusion Builder with an average score of 6.6 out of ten. Last year, in 2025 Fusion Builder had 1 security vulnerability published. That is, 7 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.05.

Year	Vulnerabilities	Average Score
2026	8	6.55
2025	1	6.50

It may take a day or so for new Fusion Builder vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Themefusion Fusion Builder Security Vulnerabilities

Fusion Builder <=3.15.4 Arbitrary File Deletion
CVE-2026-54193 7.7 - High - June 17, 2026

Contributor Arbitrary File Deletion in Fusion Builder <= 3.15.4 versions.

Directory traversal

PHP Object Injection in Fusion Builder <= 3.15.4
CVE-2026-54194 9.8 - Critical - June 16, 2026

Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.

Marshaling, Unmarshaling

Avada (Fusion) Builder WP Plugin <3.15.1 Arbitrary Action Exec Vulnerability
CVE-2026-1509 5.4 - Medium - April 15, 2026

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation, file inclusion, denial of service, or other security impacts depending on which action hooks are available in the WordPress installation.

Code Injection

WordPress Avada Fusion Builder SI Exposure <3.15.1
CVE-2026-1541 4.3 - Medium - April 15, 2026

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's `fusion_get_post_custom_field()` function failing to validate whether metadata keys are protected (underscore-prefixed). This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract protected post metadata fields that should not be publicly accessible via the Dynamic Data feature's `post_custom_field` parameter.

Insecure Direct Object Reference / IDOR

Fusion Builder XSS via Reflected XSS in <3.15.0
CVE-2026-32542 7.1 - High - March 25, 2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Fusion Builder fusion-builder allows Reflected XSS.This issue affects Fusion Builder: from n/a through < 3.15.0.

XSS

CVE-2026-32452: Missing Auth in Fusion Builder <3.15.0 (WP)
CVE-2026-32452 5.3 - Medium - March 13, 2026

Missing Authorization vulnerability in ThemeFusion Fusion Builder fusion-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fusion Builder: from n/a through < 3.15.0.

AuthZ

Missing Auth in ThemeFusion Fusion Builder <=3.15.0
CVE-2026-32451 6.3 - Medium - March 13, 2026

AuthZ

Fusion Builder Stored XSS (<=3.14.3) Improper Neutralization of Input
CVE-2026-25472 6.5 - Medium - February 19, 2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Fusion Builder fusion-builder allows Stored XSS.This issue affects Fusion Builder: from n/a through <= 3.14.1.

XSS

WordPress Fusion Builder <=3.13.2 DOM-Based XSS via fusion-builder
CVE-2025-49940 6.5 - Medium - October 22, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Fusion Builder fusion-builder allows DOM-Based XSS.This issue affects Fusion Builder: from n/a through <= 3.13.2.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Themefusion Fusion Builder or by Themefusion? Click the Watch button to subscribe.

Themefusion
Vendor

Themefusion Fusion Builder
Product

Themefusion Fusion Builder

Don't miss out!

By the Year

Recent Themefusion Fusion Builder Security Vulnerabilities

Fusion Builder <=3.15.4 Arbitrary File Deletion CVE-2026-54193 7.7 - High - June 17, 2026

PHP Object Injection in Fusion Builder <= 3.15.4 CVE-2026-54194 9.8 - Critical - June 16, 2026

Avada (Fusion) Builder WP Plugin <3.15.1 Arbitrary Action Exec Vulnerability CVE-2026-1509 5.4 - Medium - April 15, 2026

WordPress Avada Fusion Builder SI Exposure <3.15.1 CVE-2026-1541 4.3 - Medium - April 15, 2026

Fusion Builder XSS via Reflected XSS in <3.15.0 CVE-2026-32542 7.1 - High - March 25, 2026

CVE-2026-32452: Missing Auth in Fusion Builder <3.15.0 (WP) CVE-2026-32452 5.3 - Medium - March 13, 2026

Missing Auth in ThemeFusion Fusion Builder <=3.15.0 CVE-2026-32451 6.3 - Medium - March 13, 2026

Fusion Builder Stored XSS (<=3.14.3) Improper Neutralization of Input CVE-2026-25472 6.5 - Medium - February 19, 2026

WordPress Fusion Builder <=3.13.2 DOM-Based XSS via fusion-builder CVE-2025-49940 6.5 - Medium - October 22, 2025