CVE-2026-1509: CWE-94 Improper Control of Generation of Code ('Code Injection') in themefusion Avada (Fusion) Builder
The Avada (Fusion) Builder WordPress plugin up to version 3. 15. 1 contains a vulnerability in its output_action_hook() function that allows authenticated users with Subscriber-level access or higher to execute arbitrary WordPress action hooks. This improper control of code generation (CWE-94) can lead to privilege escalation, file inclusion, denial of service, or other impacts depending on the hooks available. The vulnerability has a medium severity with a CVSS score of 5. 4. No official patch or remediation guidance is currently provided by the vendor.
AI Analysis
Technical Summary
CVE-2026-1509 is a code injection vulnerability in the Avada (Fusion) Builder plugin for WordPress. The issue arises because the output_action_hook() function accepts user-controlled input to trigger any registered WordPress action hook without proper authorization checks. Authenticated attackers with at least Subscriber-level privileges can exploit this to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation and other security impacts. The vulnerability affects all versions up to and including 3.15.1. There is no vendor advisory or patch currently available to address this issue.
Potential Impact
An attacker with Subscriber-level access or higher can exploit this vulnerability to execute arbitrary WordPress action hooks. This can result in privilege escalation, unauthorized file inclusion, denial of service, or other impacts depending on the hooks present in the WordPress environment. The CVSS score of 5.4 reflects a medium severity impact primarily affecting confidentiality and integrity with no direct impact on availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles and permissions to trusted users only and monitor for suspicious activity related to WordPress action hooks. Avoid granting Subscriber-level or higher access to untrusted users.
CVE-2026-1509: CWE-94 Improper Control of Generation of Code ('Code Injection') in themefusion Avada (Fusion) Builder
Description
The Avada (Fusion) Builder WordPress plugin up to version 3. 15. 1 contains a vulnerability in its output_action_hook() function that allows authenticated users with Subscriber-level access or higher to execute arbitrary WordPress action hooks. This improper control of code generation (CWE-94) can lead to privilege escalation, file inclusion, denial of service, or other impacts depending on the hooks available. The vulnerability has a medium severity with a CVSS score of 5. 4. No official patch or remediation guidance is currently provided by the vendor.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-1509 is a code injection vulnerability in the Avada (Fusion) Builder plugin for WordPress. The issue arises because the output_action_hook() function accepts user-controlled input to trigger any registered WordPress action hook without proper authorization checks. Authenticated attackers with at least Subscriber-level privileges can exploit this to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation and other security impacts. The vulnerability affects all versions up to and including 3.15.1. There is no vendor advisory or patch currently available to address this issue.
Potential Impact
An attacker with Subscriber-level access or higher can exploit this vulnerability to execute arbitrary WordPress action hooks. This can result in privilege escalation, unauthorized file inclusion, denial of service, or other impacts depending on the hooks present in the WordPress environment. The CVSS score of 5.4 reflects a medium severity impact primarily affecting confidentiality and integrity with no direct impact on availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles and permissions to trusted users only and monitor for suspicious activity related to WordPress action hooks. Avoid granting Subscriber-level or higher access to untrusted users.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-01-27T21:14:56.116Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69deee0b82d89c981fde9f1f
Added to database: 4/15/2026, 1:46:51 AM
Last enriched: 4/15/2026, 2:02:10 AM
Last updated: 4/15/2026, 3:00:30 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.