CVE-2026-32451

The Fusion Builder plugin for WordPress, developed by ThemeFusion, contains a missing authorization vulnerability in versions prior to 3.15.0. The issue stems from an incorrectly configured access control security level, specifically a Broken Access Control flaw. This means that certain functions in the plugin lack proper authorization checks, nonce token validation, or authentication requirements, potentially allowing unprivileged users to access or execute higher-privileged actions [1].

To exploit this vulnerability, an attacker does not need any special privileges beyond a basic level of access typically available to unauthenticated or low-privilege users on a WordPress site. The vulnerability can be leveraged in mass-exploit campaigns, targeting thousands of websites regardless of their traffic size or popularity [1]. The CVSS v3 score of 6.5 reflects a medium severity due to the low attack complexity and the potential for unauthorized access to sensitive functionality.

Successful exploitation could allow an attacker to perform actions normally reserved for higher-privileged users, such as modifying site content, changing settings, or other administrative operations. This broken access control vulnerability can lead to unauthorized data modification, privilege escalation, or further compromise of the affected WordPress installation [1].

Mitigation is straightforward: the issue has been patched in Fusion Builder version 3.15.0. Site administrators are strongly advised to update to this version or later immediately. For those unable to update, hosting providers or web developers should be consulted for assistance. Patchstack users can enable auto-updates for vulnerable plugins to ensure protection [1].