Arbitrary Action Execution Vulnerability in Avada Builder Plugin for WordPress
CVE-2026-1509

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Avada (fusion) Builder
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-1509?

The Avada Builder plugin for WordPress contains a vulnerability that allows authenticated users with Subscriber-level access and above to execute arbitrary WordPress action hooks. This occurs through the use of the output_action_hook() function, which processes user-controlled input but lacks sufficient authorization checks. Consequently, attackers can leverage this flaw to initiate various actions in WordPress, potentially resulting in privilege escalation, unauthorized file inclusion, denial of service, or other detrimental consequences based on available registered action hooks.

Affected Version(s)

Avada (Fusion) Builder 0 <= 3.15.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/avada-responsive-multipurpos...

https://avada.com/documentation/avada-changelog/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Jan 27, 2026

Credit

Craig Smith

CVE-2026-1509 Data

JSON