WP-Safety

Fusion Page Builder Security & Risk Analysis

wordpress.org/plugins/fusion

Fusion. The forever free, natively powerful, beautifully flexible, and easily expandable page builder for Wordpress.

3K active installs v1.6.4 PHP + WP 3.9+ Updated Sep 11, 2025
adminbuildercustomlayout-builderpage-builder
78
B · Generally Safe
CVEs total2
Unpatched1
Last CVEMar 31, 2025
Plugin page Download
Safety Verdict

Is Fusion Page Builder Safe to Use in 2026?

Mostly Safe

Score 78/100

Fusion Page Builder is generally safe to use. 2 past CVEs were resolved. Keep it updated.

2 known CVEs 1 unpatched Last CVE: Mar 31, 2025Updated 6mo ago
Risk Assessment

The "fusion" plugin v1.6.4 presents a mixed security posture. The static analysis reveals strong adherence to good security practices in several areas. Notably, all identified entry points (AJAX handlers, shortcodes) appear to have authentication checks, there are no raw SQL queries, and a high percentage (90%) of output is properly escaped. The absence of dangerous functions, file operations, and external HTTP requests is also positive. Furthermore, the plugin utilizes nonces and capability checks extensively.

However, the plugin's vulnerability history raises significant concerns. With two known CVEs, one of which remains unpatched, there is a clear indication of past security weaknesses that have not been fully remediated. The fact that both historical vulnerabilities are categorized as medium severity and relate to Cross-site Scripting (XSS) suggests a pattern of input sanitization or output encoding issues that attackers have successfully exploited in the past. The lack of critical or high severity vulnerabilities in the historical data, coupled with the static analysis showing few critical taint flows or unsanitized paths, might suggest that past issues were addressable without introducing major new risks, but the unpatched vulnerability is a direct and present danger.

In conclusion, while "fusion" v1.6.4 demonstrates strengths in its current implementation regarding secure coding practices, the presence of an unpatched medium severity vulnerability is a critical weakness. This historical issue suggests a potential for similar vulnerabilities to exist or re-emerge if not thoroughly addressed. Users should be cautious and prioritize updating to a version that resolves the outstanding CVE.

Key Concerns

  • Unpatched CVE (medium severity)
  • Bundled libraries (Select2 - potential for outdated versions)
Vulnerabilities
2

Fusion Page Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-31549medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Fusion <= 1.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 31, 2025Unpatched
CVE-2024-37962medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Fusion <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 10, 2024 Patched in 1.6.2 (62d)
Code Analysis
Analyzed Mar 16, 2026

Fusion Page Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
38
359 escaped
Nonce Checks
20
Capability Checks
24
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Select2

Output Escaping

90% escaped397 total outputs
Data Flows
All sanitized

Data Flow Analysis

16 flows
render_edit_row_modal (fusion-core.php:1104)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Fusion Page Builder Attack Surface

Entry Points31
Unprotected0

AJAX Handlers 21

authwp_ajax_add_element_modalfusion-core.php:85
authwp_ajax_edit_row_modalfusion-core.php:86
authwp_ajax_edit_column_modalfusion-core.php:87
authwp_ajax_update_image_previewfusion-core.php:90
authwp_ajax_update_video_previewfusion-core.php:91
authwp_ajax_fsn_posts_searchfusion-core.php:94
authwp_ajax_init-button-modalincludes\classes\button.php:22
authwp_ajax_components_modalincludes\classes\components.php:29
authwp_ajax_update_componentincludes\classes\components.php:32
authwp_ajax_custom_list_add_itemincludes\classes\custom-list.php:32
noprivwp_ajax_fsn_ajax_get_post_countincludes\classes\query.php:19
authwp_ajax_fsn_ajax_get_post_countincludes\classes\query.php:20
noprivwp_ajax_fsn_ajax_get_postsincludes\classes\query.php:23
authwp_ajax_fsn_ajax_get_postsincludes\classes\query.php:24
authwp_ajax_edit_tabs_modalincludes\classes\tabs.php:26
authwp_ajax_edit_tab_modalincludes\classes\tabs.php:27
authwp_ajax_save_template_modalincludes\classes\templates.php:26
authwp_ajax_save_templateincludes\classes\templates.php:27
authwp_ajax_load_template_modalincludes\classes\templates.php:28
authwp_ajax_load_templateincludes\classes\templates.php:29
authwp_ajax_delete_templateincludes\classes\templates.php:30

Shortcodes 10

[fsn_row] fusion-core.php:64
[fsn_row_inner] fusion-core.php:65
[fsn_column] fusion-core.php:66
[fsn_column_inner] fusion-core.php:67
[fsn_custom_list_item] includes\classes\custom-list.php:38
[fsn_tabs] includes\classes\tabs.php:22
[fsn_tab] includes\classes\tabs.php:23
[fsn_code] includes\extensions\code.php:59
[fsn_component] includes\extensions\insert-component.php:91
[fsn_text] includes\extensions\text.php:53
WordPress Hooks 43
actionplugins_loadedfusion-core.php:34
actionadmin_initfusion-core.php:40
actionadmin_enqueue_scriptsfusion-core.php:43
actionwp_enqueue_scriptsfusion-core.php:46
actionwp_headfusion-core.php:49
actioninitfusion-core.php:52
actioninitfusion-core.php:55
actioninitfusion-core.php:58
actionwp_footerfusion-core.php:61
filterthe_contentfusion-core.php:70
actionedit_form_after_titlefusion-core.php:73
filteruse_block_editor_for_post_typefusion-core.php:76
actionload-post.phpfusion-core.php:79
filterfsn_selectable_image_sizesfusion-core.php:82
filterscreen_settingsfusion-core.php:1011
filterposts_wherefusion-core.php:1855
actioninitincludes\classes\components.php:22
filterpost_updated_messagesincludes\classes\components.php:23
filterfsn_input_typesincludes\classes\components.php:26
actionwp_footerincludes\classes\components.php:35
actionfsn_extension_initincludes\classes\custom-list.php:26
filterfsn_input_typesincludes\classes\custom-list.php:29
filterfsn_admin_shortcode_content_outputincludes\classes\custom-list.php:35
filterfsn_clean_shortcodesincludes\classes\custom-list.php:41
actionadmin_menuincludes\classes\settings.php:21
actionadmin_initincludes\classes\settings.php:24
actioninitincludes\classes\templates.php:22
filterpost_updated_messagesincludes\classes\templates.php:23
actioninitincludes\extensions\code.php:23
actioninitincludes\extensions\insert-component.php:18
actioninitincludes\extensions\text.php:22
filterfsn_the_contentincludes\utilities\functions.php:18
filterfsn_the_contentincludes\utilities\functions.php:19
filterfsn_the_contentincludes\utilities\functions.php:20
filterfsn_the_contentincludes\utilities\functions.php:21
filterfsn_the_contentincludes\utilities\functions.php:22
filterfsn_the_contentincludes\utilities\functions.php:23
filterfsn_the_contentincludes\utilities\functions.php:24
filterfsn_the_contentincludes\utilities\functions.php:26
filterfsn_the_contentincludes\utilities\functions.php:28
filterfsn_the_contentincludes\utilities\functions.php:30
filterfsn_the_contentincludes\utilities\functions.php:33
filterthe_contentincludes\utilities\functions.php:43
Maintenance & Trust

Fusion Page Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 11, 2025
PHP min version
Downloads191K

Community Trust

Rating94/100
Number of ratings15
Active installs3K
Alternatives

Fusion Page Builder Alternatives

Fusion Page Builder : Extension – Gallery

Fusion Page Builder : Extension – Gallery

fusion-extension-gallery

A
99

Extend Fusion with a Gallery Element.

600 1 CVE
Fusion Page Builder : Extension – Image

Fusion Page Builder : Extension – Image

fusion-extension-image

A
85

Extend Fusion with an Image Element.

500 No CVEs
Fusion Page Builder : Extension – Button

Fusion Page Builder : Extension – Button

fusion-extension-button

A
85

Extend Fusion with a Button Element.

400 No CVEs
Fusion Page Builder : Extension – Contact Form

Fusion Page Builder : Extension – Contact Form

fusion-extension-contact-form

A
85

Extend Fusion with a Contact Form Element.

300 No CVEs
Fusion Page Builder : Extension – Divider

Fusion Page Builder : Extension – Divider

fusion-extension-divider

A
85

Extend Fusion with a Divider Element.

300 No CVEs
Developer Profile

Fusion Page Builder Developer Profile

Agency Dominion Inc.

14 plugins · 7K total installs

78
trust score
Avg Security Score
86/100
Avg Patch Time
34 days
View full developer profile
Detection Fingerprints

How We Detect Fusion Page Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/fusion/includes/bootstrap/admin/js/bootstrap.min.js/wp-content/plugins/fusion/includes/css/jquery-ui-1.11.4.custom/jquery-ui.min.css/wp-content/plugins/fusion/includes/js/fusion-core-admin.js/wp-content/plugins/fusion/includes/css/fusion-core-admin.css
Script Paths
/wp-content/plugins/fusion/includes/js/fusion-core-admin.js
Version Parameters
fusion-core-admin.js?ver=fusion-core-admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
fsn-wrapper
Data Attributes
data-fsn-iddata-fsn-typedata-fsn-editdata-fsn-paramsdata-fsn-parent-id
JS Globals
fsnJS
Shortcode Output
[fsn_row][/fsn_row][fsn_row_inner][/fsn_row_inner]
FAQ

Frequently Asked Questions about Fusion Page Builder