CVE-2026-1543

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user (typically an administrator) accesses a page displaying dynamic user data (such as via the Dynamic Data feature pulling user biographical information).
Configurations

No configuration.

History

21 May 2026, 05:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-05-21 05:16

Updated : 2026-06-17 10:16


NVD link : CVE-2026-1543

Mitre link : CVE-2026-1543

CVE.ORG link : CVE-2026-1543


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')