Plateforme
wordpress
Composant
fusion-builder
Corrigé dans
3.15.1
CVE-2026-32542 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in ThemeFusion Fusion Builder. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability affects versions of Fusion Builder up to and including 3.15.0, and a patch is available in version 3.15.0.
An attacker exploiting this Reflected XSS vulnerability can inject arbitrary JavaScript code into a user's browser when they visit a specially crafted URL. This code can then be used to steal cookies, redirect users to malicious websites, or deface the website. The impact is particularly severe if the website handles sensitive user data, such as login credentials or financial information. Successful exploitation could lead to complete account takeover and potential data breaches. The blast radius extends to any user who interacts with the affected page, making it a widespread risk.
CVE-2026-32542 was publicly disclosed on 2026-03-25. There are currently no known public proof-of-concept exploits available, but the vulnerability's nature (Reflected XSS) makes it relatively easy to exploit. Its inclusion in the WordPress ecosystem suggests a medium probability of exploitation, particularly given the widespread use of Fusion Builder. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Websites utilizing the ThemeFusion Fusion Builder plugin, particularly those with user input fields or dynamic content generation, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others. Sites using older, unpatched versions of Fusion Builder are especially vulnerable.
• wordpress / composer / npm:
grep -r '<script>' /var/www/html/wp-content/plugins/fusion-builder/• generic web:
curl -I https://example.com/?param=<script>alert(1)</script>• wordpress / composer / npm:
wp plugin list --status=active | grep fusion-builder• wordpress / composer / npm:
wp plugin update fusion-builderdisclosure
Statut de l'Exploit
EPSS
0.04% (percentile 11%)
Vecteur CVSS
The primary mitigation for CVE-2026-32542 is to immediately upgrade Fusion Builder to version 3.15.0 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data to prevent XSS attacks. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Review and sanitize all user input before rendering it on the page. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through a URL parameter and verifying that it is properly neutralized.
Mettre à jour vers la version 3.15.0, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-32542 is a Reflected XSS vulnerability in ThemeFusion Fusion Builder affecting versions up to 3.15.0. It allows attackers to inject malicious scripts via crafted URLs.
You are affected if you are using Fusion Builder version 3.15.0 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade Fusion Builder to version 3.15.0 or later. Implement input validation and output encoding as a temporary workaround.
While no public exploits are currently known, the vulnerability's nature suggests a medium probability of exploitation. Continuous monitoring is recommended.
Refer to the ThemeFusion website and WordPress plugin repository for the latest security advisories and updates regarding CVE-2026-32542.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.