CVE-2025-6747

Vulnerability

Description

The Avada (Fusion) Builder plugin for WordPress, in versions up to and including 3.12.1, contains a stored cross-site scripting (XSS) vulnerability in the fusion_map shortcode. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, allowing malicious HTML/JavaScript to be stored on the server. [1]

Exploitation

Prerequisites

An attacker must have an authenticated WordPress account with at least contributor-level access. The attacker then crafts a post or page containing the vulnerable fusion_map shortcode with specially crafted attribute values. The injected script is stored and executed in the browsers of any users who view the compromised page. No additional privileges or social engineering is required beyond the initial authentication. [1]

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts (JavaScript, HTML) that execute in the context of the victim's session. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data such as cookies and authentication tokens. The XSS is stored, meaning it persists across visits and can affect multiple users without repeated attacker interaction. [1]

Mitigation

The vulnerability is patched in Avada (Fusion) Builder versions after 3.12.1. Users should update the plugin to the latest version available. As of May 2026, the latest Avada core version is 7.15.3, and the Builder component is updated accordingly. No workarounds have been disclosed. Administrators should also review contributor-level user permissions and consider security plugins that add additional input validation. [1]