CVE-2026-32454
WordPress Avada Core plugin < 5.15.0 - Cross Site Scripting (XSS) vulnerabilityImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Avada Core fusion-core allows DOM-Based XSS.This issue affects Avada Core: from n/a through < 5.15.0.
We have discovered 52,812 live websites that are affected by CVE-2026-32454.
Affected Software
| Product | |
| Category | Wordpress Plugins |
| Vulnerable Domains | 52,812 live websites (96% of Avada Core install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 43 versions ( 98% of all versions) |
Details
- Published - Mar 13, 2026
- Updated - Apr 1, 2026
Credits
- Bonds | Patchstack Bug Bounty Program (finder)
CVE References
Website Distribution by Country
Number of websites using CVE-2026-32454 United States | 17,284 websites |
 Germany | 8,305 websites |
 GB | 2,834 websites |
 France | 2,765 websites |
 Italy | 2,761 websites |
 Netherlands | 2,487 websites |
 Spain | 1,725 websites |
 Canada | 1,411 websites |
 Switzerland | 1,134 websites |
 Australia | 1,085 websites |
Website Distribution by TLD
Number of websites using CVE-2026-32454| .com | 21,501 websites |
| .de | 5,784 websites |
| .org | 3,022 websites |
| .nl | 2,308 websites |
| .it | 1,991 websites |
| .co.uk | 1,890 websites |
| .fr | 1,172 websites |
| .com.au | 1,006 websites |
| .ch | 962 websites |
| .net | 952 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-32454
Top websites that are affected by CVE-2026-32454. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *************.**.za |  South Africa | *,*** | |
| ************.com | Germany | **,*** | |
| *********.com | United States | **,*** | |
| ***********.***.de | Germany | **,*** | |
| *************.com | United States | **,*** | |
| ***********.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| **************.org | United States | **,*** | |
| *****************.com | Germany | **,*** | |
| ******.org | United States | **,*** |
FAQ
A total of 52,812 websites have been identified as vulnerable to CVE-2026-32454, based on global website indexing conducted by WebTechSurvey.
The Avada Core is affected by the CVE-2026-32454 vulnerability.
Avada Core versions up to and including 5.15 are vulnerable to CVE-2026-32454.