{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1509", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-27T21:14:56.116Z", "datePublished": "2026-04-15T01:25:18.275Z", "dateUpdated": "2026-04-15T16:13:37.307Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T01:25:18.275Z"}, "affected": [{"vendor": "themefusion", "product": "Avada (Fusion) Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.15.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation, file inclusion, denial of service, or other security impacts depending on which action hooks are available in the WordPress installation."}], "title": "Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Limited Arbitrary WordPress Action Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fdc57b06-bae9-49a3-84dd-f593705330e9?source=cve"}, {"url": "https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226"}, {"url": "https://avada.com/documentation/avada-changelog/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2026-03-24T16:14:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-14T12:25:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:47:24.077989Z", "id": "CVE-2026-1509", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:13:37.307Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1509", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:47:24.077989Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:47:28.648Z"}}], "cna": {"title": "Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Limited Arbitrary WordPress Action Execution", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "themefusion", "product": "Avada (Fusion) Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.15.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-24T16:14:39.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-14T12:25:28.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fdc57b06-bae9-49a3-84dd-f593705330e9?source=cve"}, {"url": "https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226"}, {"url": "https://avada.com/documentation/avada-changelog/"}], "descriptions": [{"lang": "en", "value": "The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation, file inclusion, denial of service, or other security impacts depending on which action hooks are available in the WordPress installation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T01:25:18.275Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1509", "state": "PUBLISHED", "dateUpdated": "2026-04-15T16:13:37.307Z", "dateReserved": "2026-01-27T21:14:56.116Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-15T01:25:18.275Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation, file inclusion, denial of service, or other security impacts depending on which action hooks are available in the WordPress installation."}], "id": "CVE-2026-1509", "lastModified": "2026-04-15T04:17:33.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-15T04:17:33.173", "references": [{"source": "security@wordfence.com", "url": "https://avada.com/documentation/avada-changelog/"}, {"source": "security@wordfence.com", "url": "https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fdc57b06-bae9-49a3-84dd-f593705330e9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.15.1]"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 87.0, "source": "matching"}]}, "original": {"product": "Avada (Fusion) Builder", "source": "cna", "vendor": "themefusion"}, "product": "fusion_builder", "vendor": "themefusion"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T02:20:29.022165+00:00", "value": {"mitigation_remediation": ["Update Avada (Fusion) Builder to a version newer than 3.15.1 that removes or secures the output_action_hook function.", "Restrict Subscriber or lower role capabilities so they cannot access Dynamic Data actions, or explicitly deny the execute action for those roles.", "Audit existing WordPress action hooks and disable any that are unnecessary or could be abused, limiting the surface for potential exploitation."], "summary": {"action": "Apply Patch", "impact": "Arbitrary WordPress Action Execution with potential privilege escalation"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Avada (Fusion) Builder plugin installed, versions based on or earlier than 3.15.1. The vulnerability is vendor specific to themefusion:Avada (Fusion) Builder and applies to every installation containing that plugin at a vulnerable version.", "description_and_impact": "The Avada (Fusion) Builder plugin for WordPress contains a flaw that allows authorized users with Subscriber level or higher to trigger any registered WordPress action hook through the Dynamic Data feature. By supplying crafted input to the plugin's output_action_hook function, an attacker can immediately execute any available hook, leading to privilege escalation, file inclusion, denial of service, or other exploits depending on the hooks present in the installation. The weakness is a classic code injection vulnerability (CWE-94).", "risk_and_exploitability": "The CVSS score for this vulnerability is 5.4, indicating a medium severity. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. The only prerequisite for exploitation is that the attacker is authenticated with at least Subscriber privileges, and that a WordPress action hook is registered in the site. The likely attack vector is through the plugin's administrative interface or API where Dynamic Data requests can be formed by an authenticated user. Given the medium score and lack of publicly known exploits, the overall risk remains moderate but requires timely remediation."}}}}, "created": "2026-04-15T13:48:23.606854+00:00", "updated": "2026-04-15T13:49:14.870436+00:00", "vendors": ["themefusion", "themefusion$PRODUCT$fusion_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}