CVE-2026-6279
Deferred Deferred - Pending Action
Unauthenticated Remote Code Execution in Avada Builder WordPress Plugin

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: Wordfence

Description
The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards (`[fusion_post_cards]`) or Table of Contents (`[fusion_table_of_contents]`) element. This makes it possible for unauthenticated attackers to execute arbitrary code on affected sites.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-09
NVD
CVE-2026-6279
EUVD
EUVD-2026-31209
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themefusion avada_builder to 3.15.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Avada Builder (fusion-builder) plugin for WordPress has a vulnerability that allows unauthenticated remote code execution via PHP function injection. This occurs because the plugin's Fusion_Builder_Conditional_Render_Helper::get_value() method uses attacker-controlled data from a base64-decoded JSON blob directly in a call_user_func() call without validating the function being called. Attackers can exploit this through the fusion_get_widget_markup AJAX endpoint, which is accessible to unauthenticated users and protected only by a nonce that is deterministically exposed on public pages containing certain elements, allowing arbitrary code execution on affected sites.

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated attackers to execute arbitrary code on your WordPress site. This can lead to full site compromise, including data theft, site defacement, installation of malware, or use of the site as a platform for further attacks. Because the exploit requires no authentication and has a high severity score (CVSS 9.8), it poses a critical risk to affected sites.

Compliance Impact

The vulnerability allows unauthenticated remote code execution on affected WordPress sites using the Avada Builder plugin. This can lead to full compromise of the site, including unauthorized access to sensitive data.

Such a compromise can result in violations of common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data. If attackers exploit this vulnerability to access or manipulate protected data, the affected organization could face compliance breaches, legal consequences, and reputational damage.

Mitigation Strategies

The vulnerability affects Avada Builder (fusion-builder) plugin versions up to and including 3.15.2. Immediate mitigation involves updating the plugin to a version later than 3.15.2 where this issue is fixed.

Since the latest Avada version as of March 17, 2026 is 7.15.1, ensure your Avada Builder plugin is updated to the latest available version to address this vulnerability.

Detection Guidance

This vulnerability can be detected by checking if your WordPress site is running the Avada Builder (fusion-builder) plugin version 3.15.2 or earlier, as these versions are vulnerable to unauthenticated remote code execution.

To detect exploitation attempts on your system or network, you can monitor HTTP requests to the AJAX endpoint `wp_ajax_nopriv_fusion_get_widget_markup`. Suspicious requests to this endpoint, especially those containing base64-encoded JSON blobs or unusual parameters, may indicate exploitation attempts.

Suggested commands to help detect the vulnerability or exploitation attempts include:

  • Use curl or wget to check the plugin version by requesting the plugin's readme or changelog files if accessible.
  • Use grep or similar tools to search your WordPress installation for the plugin version, e.g., `grep -r 'Version: 3.15.2' wp-content/plugins/fusion-builder/`.
  • Monitor web server logs for requests to `admin-ajax.php` with the parameter `action=fusion_get_widget_markup`, for example: `grep 'action=fusion_get_widget_markup' /var/log/apache2/access.log`.
  • Use network monitoring tools or intrusion detection systems to alert on suspicious AJAX requests containing base64-encoded payloads targeting this endpoint.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6279. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart