CVE-2026-1509: Arbitrary Action Execution in Avada Builder
Platform
wordpress
Component
fusion-builder
Fixed in
3.15.2
CVE-2026-1509 affects the Avada (Fusion) Builder plugin for WordPress versions up to 3.15.1. This vulnerability allows authenticated attackers with Subscriber-level access or higher to trigger arbitrary WordPress action hooks, potentially leading to severe security consequences. The issue stems from insufficient authorization checks within the outputactionhook() function. A fix is available in version 3.15.2.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The impact of CVE-2026-1509 is significant due to the potential for privilege escalation. An attacker with Subscriber access can leverage this vulnerability to execute arbitrary WordPress actions, effectively bypassing standard access controls. This could lead to the attacker gaining administrative privileges, allowing them to modify site content, install malicious plugins, or even take complete control of the WordPress instance. Furthermore, the ability to trigger arbitrary action hooks opens the door to denial-of-service attacks, file inclusion vulnerabilities, and other security compromises. The Dynamic Data feature, intended for legitimate customization, becomes a vector for malicious exploitation.
Exploitation Context
CVE-2026-1509 was published on 2026-04-14. Its severity is rated as MEDIUM. Currently, there are no publicly available exploits or active campaigns targeting this vulnerability. It is not listed on KEV or EPSS, suggesting a low probability of immediate exploitation. However, the ease of exploitation (requiring only Subscriber access) warrants prompt patching.
Threat Intelligence
Exploit Status
EPSS
0.04% (13% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-1509 is to immediately upgrade the Avada (Fusion) Builder plugin to version 3.15.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the Dynamic Data feature within the plugin's settings. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to inspect and filter HTTP requests can be configured to block requests containing suspicious parameters related to action hook execution. Monitor WordPress logs for unusual activity, particularly related to action hook calls originating from user-controlled input.
How to fix
Update to version 3.15.2, or a newer patched version
Frequently asked questions
What is CVE-2026-1509 — Arbitrary Action Execution in Avada Builder?
CVE-2026-1509 is a vulnerability in Avada (Fusion) Builder versions up to 3.15.1 that allows authenticated attackers to execute arbitrary WordPress action hooks, potentially leading to privilege escalation and other security impacts. It's rated MEDIUM severity.
Am I affected by CVE-2026-1509 in Avada Builder?
You are affected if you are using Avada (Fusion) Builder version 3.15.1 or earlier. Check your plugin version and upgrade immediately if necessary.
How do I fix CVE-2026-1509 in Avada Builder?
Upgrade the Avada (Fusion) Builder plugin to version 3.15.2 or later. If upgrading is not possible, temporarily restrict access to the Dynamic Data feature.
Is CVE-2026-1509 being actively exploited?
Currently, there are no publicly known exploits or active campaigns targeting CVE-2026-1509, but prompt patching is still recommended due to the ease of exploitation.
Where can I find the official Avada advisory for CVE-2026-1509?
Refer to the official Avada plugin website and WordPress plugin repository for the latest security advisories and updates related to CVE-2026-1509.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...