CVE-2026-32452

Vulnerability

Overview

The Fusion Builder plugin for WordPress, versions prior to 3.15.0, suffers from a missing authorization vulnerability. The root cause is a broken access control mechanism, where certain functions fail to verify that the requesting user has the required privileges. This effectively allows exploitation of incorrectly configured access control security levels, enabling an attacker to bypass intended restrictions [1].

Exploitation

Details

An attacker can exploit this vulnerability by sending crafted requests to the vulnerable plugin endpoints without needing to authenticate, or by using a low-privileged account (e.g., subscriber) to escalate privileges. The lack of proper nonce or capability checks means that actions meant to be restricted to administrators or editors may be triggered by any user. Automated mass-exploit campaigns often target this type of flaw, making it a practical vector for widespread attacks [1].

Impact

Successful exploitation can allow an attacker to perform unauthorized administrative actions, such as modifying site content, altering plugin settings, or injecting malicious code. This could lead to full site compromise, data theft, or defacement. The CVSS v3 base score is 5.3 (Medium), reflecting a moderate impact with potentially high consequences in a site-wide context [1].

Mitigation

The vendor has released version 3.15.0 which addresses the missing authorization issue. Users are strongly advised to update the Fusion Builder plugin immediately. If updating is not possible, it is recommended to restrict access to the plugin's functionality until a patch can be applied. Hosting providers can assist with implementing temporary workarounds [1].