A vulnerability, which was classified as problematic, was found in themefusion Avada Builder Plugin up to 3.15.5 on WordPress. This impacts an unknown function of the component Module. The manipulation of the argument Module Title results in cross site scripting.

This vulnerability is identified as CVE-2026-12536. The attack can be executed remotely. There is not any exploit available.