CVE-2026-1509
Arbitrary Action Execution in Avada Builder Plugin Enables Escalation
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fusion_builder | avada_builder | to 3.15.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Avada (Fusion) Builder plugin for WordPress has a vulnerability in its output_action_hook() function that allows authenticated users with Subscriber-level access or higher to execute arbitrary WordPress action hooks. This happens because the function accepts user-controlled input without proper authorization checks, enabling attackers to trigger any registered WordPress action hook.
How can this vulnerability impact me? :
This vulnerability can lead to several security impacts depending on the available action hooks in the WordPress installation. Potential impacts include privilege escalation, file inclusion, denial of service, or other harmful effects caused by executing arbitrary WordPress action hooks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability in the Avada (Fusion) Builder plugin affects compliance with common standards and regulations such as GDPR or HIPAA.