{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1541", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-28T14:57:30.708Z", "datePublished": "2026-04-15T01:25:17.892Z", "dateUpdated": "2026-04-15T01:25:17.892Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T01:25:17.892Z"}, "affected": [{"vendor": "themefusion", "product": "Avada (Fusion) Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.15.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's `fusion_get_post_custom_field()` function failing to validate whether metadata keys are protected (underscore-prefixed). This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract protected post metadata fields that should not be publicly accessible via the Dynamic Data feature's `post_custom_field` parameter."}], "title": "Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f1f69f93-80e3-434d-98a6-fc8757b4e6d1?source=cve"}, {"url": "https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2026-03-24T16:14:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-14T12:23:58.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.15.1]"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 87.0, "source": "matching"}]}, "original": {"product": "Avada (Fusion) Builder", "source": "cna", "vendor": "themefusion"}, "product": "fusion_builder", "vendor": "themefusion"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T08:50:43.376613+00:00", "value": {"mitigation_remediation": ["Upgrade Avada (Fusion) Builder to a version newer than 3.15.1 to apply the fixed fusion_get_post_custom_field() logic.", "If upgrading immediately is not possible, disable the Dynamic Data feature or configure it so that only non\u2011underscore\u2011prefixed metadata keys can be retrieved by Subscriber\u2011level users.", "Audit existing post metadata, remove or encrypt any sensitive values stored under underscore\u2011prefixed keys, and modify application logic to prevent their use as confidential data."], "summary": {"action": "Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Avada (Fusion) Builder plugin from ThemeFusion and are running any version up to and including 3.15.1. Systems using newer versions are not affected. The vulnerability can only be exploited when the Dynamic Data feature is enabled and the user supplies the post_custom_field parameter.", "description_and_impact": "The Avada (Fusion) Builder plugin for WordPress has a flaw where the function fusion_get_post_custom_field() does not verify whether metadata keys are protected by an underscore prefix before returning their values. This insecure direct object reference (CWE\u2011639) allows an authenticated user with Subscriber role or higher to retrieve protected post metadata through the Dynamic Data feature\u2019s post_custom_field parameter. The outcome is the loss of confidentiality for data that should remain private, such as internal notes, API keys, or other sensitive configuration values.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low severity rating. No EPSS score is available, so the likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. An attacker requires valid credentials with at least Subscriber access, so the threat is limited to authenticated users. Nonetheless, because the exposed data is confidential, the risk remains non\u2011zero for sites that store sensitive information in post metadata and enforce strict confidentiality controls."}}}}, "created": "2026-04-15T13:48:23.607357+00:00", "updated": "2026-04-15T13:49:14.870995+00:00", "vendors": ["themefusion", "themefusion$PRODUCT$fusion_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}