WordPress Plugin Vulnerabilities

Fusion Builder < 3.11.2 - Cross Site Scripting (XSS) vulnerability in the User Register element

Description

The plugin does not sanitise and escape some parameters in the User Register element, which could allow bad actors to perform Cross-Site Scripting attacks.

Affects Plugins

Plugin icon
fusion-builder
Fixed in 3.11.2

References

CVE
CVE-2023-39306
URL
https://patchstack.com/database/vulnerability/fusion-builder/wordpress-avada-builder-plugin-3-11-1-reflected-cross-site-scripting-xss-vulnerability
URL
https://avada.com/blog/version-7-11-2-security-update/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
5e923c36-c87e-4f35-b27f-c686a9c8baaf

Timeline

Publicly Published
2023-08-10 (about 2 years ago)
Added
2024-02-02 (about 2 years ago)
Last Updated
2024-02-02 (about 2 years ago)

Other

Published
Title
Published
2025-04-16
Title
WPCasa < 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-02-27
Title
Sprout Clients < 3.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-16
Title
My Favorite Car <= 1.0 - Reflected Cross-Site Scripting
Published
2026-04-09
Title
AddFunc Head & Footer Code < 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields
Published
2024-09-16
Title
Greenshift – animation and page builder blocks < 9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting