WWordPress Vulnerability Database

Hong Kong Security Notice Fusion Builder XSS(CVE202632542)

Cross Site Scripting (XSS) in WordPress Fusion Builder Plugin
0
Shares
0
0
0
0






Urgent: Reflected XSS in Fusion Builder (< 3.15.0) — What WordPress Site Owners Must Do Now


Urgent: Reflected XSS in Fusion Builder (< 3.15.0) — What WordPress Site Owners Must Do Now

Author: Hong Kong Security Expert • Date: 2026-03-22 • Categories: WordPress Security, Vulnerabilities, WAF, Incident Response
Plugin Name Fusion Builder
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-32542
Urgency Medium
CVE Publish Date 2026-03-22
Source URL CVE-2026-32542

TL;DR

A reflected Cross‑Site Scripting (XSS) vulnerability (CVE‑2026‑32542) exists in Fusion Builder versions prior to 3.15.0. The issue has a CVSS score of 7.1 (Medium) and allows attacker-supplied JavaScript to execute in the context of a site using the vulnerable builder. The vendor patched the issue in Fusion Builder 3.15.0. If you cannot immediately update, apply perimeter mitigations (virtual patching via WAF or hosting protections), harden administrative access, scan for suspicious activity, and follow an incident response checklist described below.

Why this matters

Reflected XSS is among the most commonly exploited web vulnerabilities because it combines a technical weakness with social engineering. A successful exploit can lead to session theft, impersonation of privileged users, and follow‑on actions that establish persistence. Fusion Builder is widely used in sites that rely on a visual page builder, so both public pages and administrative screens may be targeted.

The vulnerability allows an attacker to craft a URL or form submission containing input that is reflected back without proper sanitization or encoding. When a targeted user—often an administrator or editor—clicks that crafted link while authenticated, the injected script executes in their browser context.

What is Fusion Builder and how visual builder vulnerabilities are abused

Fusion Builder is a visual page builder that injects layout, attributes and content into page markup. Visual builders frequently accept user-supplied strings (labels, attributes, preview parameters) and render them into HTML. If the plugin inserts untrusted input into HTML contexts without proper context-aware escaping, an attacker can embed JavaScript payloads that execute when the page is rendered.

Typical attack flow:

  • An attacker crafts a URL containing a malicious parameter and sends it to an administrator or editor.
  • A privileged user, while logged in, clicks the link.
  • The builder reflects the payload into an admin page or preview and the script executes in the user’s browser.
  • The attacker can then steal cookies, perform actions via the user’s session, or load a second‑stage payload to persist changes.

Vulnerability summary (CVE‑2026‑32542)

  • Affected software: Fusion Builder (bundled with Avada or distributed separately)
  • Vulnerable versions: versions earlier than 3.15.0
  • Vulnerability type: Reflected Cross‑Site Scripting (XSS)
  • CVSS: 7.1 (Medium)
  • Required privilege: Unauthenticated attacker can trigger the reflection; successful exploitation typically requires a privileged user to interact with a crafted URL
  • Patch: 3.15.0 — update to this version or later
  • Reported: March 2026

Note: reflected XSS is not persistent on the server by itself, but it can be used to deliver second‑stage payloads that establish persistence.

Technical breakdown (high level — safe to read)

The core issue in reflected XSS is improper output encoding. In WordPress, common causes include:

  • Echoing GET/POST parameters into HTML attributes or inline scripts without context-aware escaping.
  • Using developer APIs incorrectly (printing raw values instead of using esc_attr(), esc_html(), wp_kses_post(), etc.).
  • Reflecting values without validating expected names or formats.

Typical vulnerable contexts:

  • URL parameters echoed into inline JavaScript.
  • Parameters inside HTML attributes (value=”…”) without esc_attr().
  • Parameters placed into page content without sanitization.

Example (simplified):

// Vulnerable pattern
echo $_GET['preview'];

// Safer pattern
echo esc_attr( wp_unslash( $_GET['preview'] ?? '' ) );

For this vulnerability, an attacker likely crafts a URL with a malicious parameter that is reflected into the response without proper escaping.

Attack scenarios and real‑world impact

  1. Admin credential theft: A privileged user clicks a malicious link; script harvests cookies or tokens and exfiltrates them to an attacker host.
  2. Site configuration manipulation: Injected script triggers actions the admin can perform (create users, change settings, install plugins).
  3. Supply‑chain pivot: Use of reflected XSS to plant persistent backdoors, new admin accounts, or malicious content for later use.
  4. Reputation and SEO damage: Injected scripts can redirect visitors, serve unwanted ads, or modify content in ways that harm search ranking.

Automated scanners and exploit scripts will likely target unpatched instances quickly, so rapid mitigation reduces exposure.

How to check if your site is affected

  1. Identify plugin and version
    • Dashboard: Plugins → Installed Plugins → Fusion Builder (or check the Avada theme bundle).
    • WP‑CLI: wp plugin list –path=/path/to/site | grep fusion
    • If the version is older than 3.15.0, treat the site as vulnerable.
  2. Confirm update availability
    • Check plugin or theme update channels; bundled builders often require updating the theme package.
  3. Review logs for suspicious activity
    • Web server logs: look for GET requests with parameters containing