Scan free
HIGHCVE-2026-32542CVSS 7.1

CVE-2026-32542: Reflected XSS in Fusion Builder

Platform

wordpress

Component

fusion-builder

Fixed in

3.15.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-32542 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in ThemeFusion Fusion Builder. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability affects versions of Fusion Builder up to and including 3.15.0, and a patch is available in version 3.15.0.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

An attacker exploiting this Reflected XSS vulnerability can inject arbitrary JavaScript code into a user's browser when they visit a specially crafted URL. This code can then be used to steal cookies, redirect users to malicious websites, or deface the website. The impact is particularly severe if the website handles sensitive user data, such as login credentials or financial information. Successful exploitation could lead to complete account takeover and potential data breaches. The blast radius extends to any user who interacts with the affected page, making it a widespread risk.

Exploitation Context

CVE-2026-32542 was publicly disclosed on 2026-03-25. There are currently no known public proof-of-concept exploits available, but the vulnerability's nature (Reflected XSS) makes it relatively easy to exploit. Its inclusion in the WordPress ecosystem suggests a medium probability of exploitation, particularly given the widespread use of Fusion Builder. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.04% (11% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L7.1HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentfusion-builder
Vendorwordfence
Affected rangeFixed in
n/a – 3.15.03.15.1

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-32542 is to immediately upgrade Fusion Builder to version 3.15.0 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data to prevent XSS attacks. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Review and sanitize all user input before rendering it on the page. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through a URL parameter and verifying that it is properly neutralized.

How to fix

Update to version 3.15.0, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-32542 — Reflected XSS in Fusion Builder?

CVE-2026-32542 is a Reflected XSS vulnerability in ThemeFusion Fusion Builder affecting versions up to 3.15.0. It allows attackers to inject malicious scripts via crafted URLs.

Am I affected by CVE-2026-32542 in Fusion Builder?

You are affected if you are using Fusion Builder version 3.15.0 or earlier. Check your plugin version and upgrade immediately if necessary.

How do I fix CVE-2026-32542 in Fusion Builder?

Upgrade Fusion Builder to version 3.15.0 or later. Implement input validation and output encoding as a temporary workaround.

Is CVE-2026-32542 being actively exploited?

While no public exploits are currently known, the vulnerability's nature suggests a medium probability of exploitation. Continuous monitoring is recommended.

Where can I find the official ThemeFusion advisory for CVE-2026-32542?

Refer to the ThemeFusion website and WordPress plugin repository for the latest security advisories and updates regarding CVE-2026-32542.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs