CVE-2026-32454

Vulnerability

Overview

The vulnerability is a DOM-based Cross-Site Scripting (XSS) in the ThemeFusion Avada Core (fusion-core) plugin for WordPress. It stems from improper neutralization of input during web page generation, allowing an attacker to inject arbitrary scripts into the DOM of a victim's browser. The issue affects all versions of the plugin prior to 5.15.0 [1].

Exploitation

Details

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a specially crafted form. The attacker does not need direct access to the site but must trick a privileged user into triggering the payload. This type of vulnerability is often used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Impact

Successful exploitation allows the attacker to inject malicious scripts, redirects, advertisements, or other HTML payloads into the website. These scripts execute in the context of the victim's browser when they visit the affected site, potentially leading to session hijacking, defacement, or further compromise of the site and its users [1].

Mitigation

The vulnerability has been patched in version 5.15.0 of the Avada Core plugin. Users are strongly advised to update to this version or later. Patchstack users can enable auto-updates for vulnerable plugins. Although the severity is rated as medium (CVSS 6.5) and the vendor considers it low risk, updating is recommended to prevent potential exploitation [1].