Avada Builder <= 3.11.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description
Stored XSS in Avada (Fusion) Builder plugin for WordPress allows authenticated attackers with contributor-level access to inject arbitrary scripts via shortcode attributes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Avada (Fusion) Builder plugin for WordPress allows authenticated attackers with contributor-level access to inject arbitrary scripts via shortcode attributes.
Vulnerability
The Avada (Fusion) Builder plugin for WordPress versions up to and including 3.11.14 is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping on user-supplied attributes in several of the plugin's shortcodes. This allows authenticated attackers to inject arbitrary web scripts.
Exploitation
An attacker with contributor-level access or above can create or edit a page or post and insert a vulnerable shortcode with a malicious attribute containing JavaScript. When any user visits the page, the injected script executes.
Impact
Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary scripts in the context of the victim's browser. This can result in session hijacking, defacement, or redirection to malicious sites.
Mitigation
The vulnerability affects all versions up to 3.11.14. The vendor has not disclosed a fix in the provided references. Users should update to the latest version of the plugin if a patch is available, or apply input validation and output escaping as a workaround.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=3.11.14
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.