CVE-2026-1509

The Avada (Fusion) Builder plugin for WordPress, in all versions up to and including 3.15.1, contains a vulnerability in its output_action_hook() function. This function accepts user-controlled input to trigger any registered WordPress action hook without proper authorization checks, specifically through the Dynamic Data feature. The lack of capability or nonce verification allows an attacker to invoke arbitrary hooks.

An authenticated attacker with Subscriber-level access or higher can exploit this by sending crafted requests that specify a target action hook. No additional privileges are required beyond a valid WordPress user account. The attack surface is the Dynamic Data feature, which processes user-supplied hook names.

Successful exploitation enables the attacker to execute any WordPress action hook that is registered on the site. Depending on the available hooks, this can lead to privilege escalation (e.g., creating new admin users), file inclusion, denial of service, or other security impacts. The exact outcome depends on the hooks present in the WordPress installation and other plugins.

The vendor has addressed this issue in a later release. According to the Avada changelog [1], the latest version is 7.15.3, which likely includes a fix for this vulnerability. Users are strongly advised to update the Avada theme and Fusion Builder plugin to the latest available version to mitigate the risk.