CVE-2026-6279
Unauthenticated Remote Code Execution in Avada Builder WordPress Plugin
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themefusion | avada_builder | to 3.15.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Avada Builder (fusion-builder) plugin for WordPress has a vulnerability that allows unauthenticated remote code execution via PHP function injection. This occurs because the plugin's Fusion_Builder_Conditional_Render_Helper::get_value() method uses attacker-controlled data from a base64-decoded JSON blob directly in a call_user_func() call without validating the function being called. Attackers can exploit this through the fusion_get_widget_markup AJAX endpoint, which is accessible to unauthenticated users and protected only by a nonce that is deterministically exposed on public pages containing certain elements, allowing arbitrary code execution on affected sites.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows unauthenticated attackers to execute arbitrary code on your WordPress site. This can lead to full site compromise, including data theft, site defacement, installation of malware, or use of the site as a platform for further attacks. Because the exploit requires no authentication and has a high severity score (CVSS 9.8), it poses a critical risk to affected sites.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote code execution on affected WordPress sites using the Avada Builder plugin. This can lead to full compromise of the site, including unauthorized access to sensitive data.
Such a compromise can result in violations of common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data. If attackers exploit this vulnerability to access or manipulate protected data, the affected organization could face compliance breaches, legal consequences, and reputational damage.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects Avada Builder (fusion-builder) plugin versions up to and including 3.15.2. Immediate mitigation involves updating the plugin to a version later than 3.15.2 where this issue is fixed.
Since the latest Avada version as of March 17, 2026 is 7.15.1, ensure your Avada Builder plugin is updated to the latest available version to address this vulnerability.