CVE-2026-1509

Name of the Vulnerable Software and Affected Versions Avada (Fusion) Builder versions prior to 3.15.2

Description The plugin allows authenticated attackers with Subscriber-level access and above to execute arbitrary WordPress action hooks through the Dynamic Data feature. This occurs because the output action hook() function accepts user-controlled input to trigger registered WordPress action hooks without proper authorization checks. This flaw can lead to privilege escalation, file inclusion, or denial of service, depending on the available action hooks in the WordPress installation.

Recommendations Update to a version newer than 3.15.1.