CVE-2026-32453

Vulnerability

Overview CVE-2026-32453 is a missing authorization vulnerability in the ThemeFusion Avada Core plugin (fusion-core) for WordPress, affecting versions from n/a through 5.14.x. The issue stems from a broken access control mechanism, where the plugin fails to properly enforce authorization checks or nonce tokens in certain functions. This allows an unprivileged user to execute actions that should require higher privileges [1].

Exploitation

Attackers can exploit this vulnerability without needing any prior authentication or special access, as the missing authorization check is present in publicly accessible functions. The attack surface is broad, as the plugin is widely used, and the vulnerability can be leveraged in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation enables an attacker to perform actions that are normally restricted to higher-privileged users, such as modifying settings or accessing sensitive data. The CVSS v3 base score is 5.3 (Medium), indicating a moderate severity with potential for unauthorized access or data exposure [1].

Mitigation

The vendor has released version 5.15.0 which addresses the missing authorization issue. Users are strongly advised to update to this version or later immediately. For those unable to update, contacting the hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].