{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6747", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-26T18:32:25.551Z", "datePublished": "2025-07-16T06:40:43.102Z", "dateUpdated": "2026-04-08T17:32:16.876Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:16.876Z"}, "affected": [{"vendor": "themefusion", "product": "Avada (Fusion) Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.12.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fusion_map' shortcode in all versions up to, and including, 3.12.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Avada (Fusion) Builder <= 3.12.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f0a21eaa-4e2a-4d07-8635-f0a8a5db660f?source=cve"}, {"url": "https://avada.com/documentation/avada-changelog/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2025-07-15T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-16T13:29:44.874042Z", "id": "CVE-2025-6747", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-16T14:40:29.392Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6747", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-16T13:29:44.874042Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-16T13:29:45.962Z"}}], "cna": {"title": "Avada (Fusion) Builder <= 3.12.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "themefusion", "product": "Avada (Fusion) Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.12.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-15T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f0a21eaa-4e2a-4d07-8635-f0a8a5db660f?source=cve"}, {"url": "https://avada.com/documentation/avada-changelog/"}], "descriptions": [{"lang": "en", "value": "The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fusion_map' shortcode in all versions up to, and including, 3.12.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:16.876Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6747", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:32:16.876Z", "dateReserved": "2025-06-26T18:32:25.551Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-16T06:40:43.102Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fusion_map' shortcode in all versions up to, and including, 3.12.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Avada (Fusion) Builder para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del shortcode 'fusion_map' del plugin en todas las versiones hasta la 3.12.1 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-6747", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-16T07:15:24.080", "references": [{"source": "security@wordfence.com", "url": "https://avada.com/documentation/avada-changelog/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f0a21eaa-4e2a-4d07-8635-f0a8a5db660f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T20:16:42.795335+00:00", "value": {"mitigation_remediation": ["Upgrade the Avada (Fusion) Builder plugin to the latest available version, which removes the fusion_map shortcode vulnerability.", "If an immediate upgrade is not possible, configure WordPress to prevent contributors and higher roles from editing or inserting the fusion_map shortcode, or temporarily disable the shortcode entirely until a patch is applied.", "Implement a temporary sanitization layer by wrapping the fusion_map shortcode attributes with esc_attr or a similar WordPress sanitization function to ensure that any user input is properly escaped before rendering."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Vulnerable instances are any installation of the Avada (Fusion) Builder plugin up to and including version 3.12.1. Users running older versions should verify their install and consider upgrading.", "description_and_impact": "The Avada (Fusion) Builder plugin for WordPress contains a stored cross\u2011site scripting flaw in the fusion_map shortcode. Insufficient input sanitization and output escaping allow an authenticated user with contributor or higher privileges to inject arbitrary JavaScript into a page. Once injected, the script runs in the context of any visitor to that page, enabling attackers to hijack sessions, deface content, or perform other malicious actions against site users. The weakness is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% shows a very low likelihood of public exploitation at present, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires authenticated access with at least contributor permissions, making it a local rather than remote vector. However, once the script is stored, any site visitor becomes a target for client\u2011side attacks."}}}}, "created": "2026-04-20T20:30:16.065334+00:00", "updated": "2026-04-20T20:30:16.065344+00:00", "vendors": []}