Avada (Fusion) Builder

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards (`[fusion_post_cards]`) or Table of Contents (`[fusion_table_of_contents]`) element. This makes it possible for unauthenticated attackers to execute arbitrary code on affected sites.

AI Analysis

Unauthenticated Remote Code Execution via PHP Function Injection in Avada Builder plugin

Basic Information

ID CVE-2026-6279

Source Wordfence

Published May 21, 2026 at 04:27

Affected Product

Vendor themefusion

Product Avada (Fusion) Builder

Version 3.15.2

Affected Versions themefusion Avada (Fusion) Builder 0

CWE Classification

CWE-74

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor ThemeFusion

Product Avada Builder

Version 3.15.2

References

{
    "lastseen": "",
    "description": "The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards (`[fusion_post_cards]`) or Table of Contents (`[fusion_table_of_contents]`) element. This makes it possible for unauthenticated attackers to execute arbitrary code on affected sites.",
    "published": "2026-05-21T04:27:57.613Z",
    "modified": "2026-05-21T04:27:57.613Z",
    "type": "cve",
    "title": "Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5dc72d78-d47c-4b36-8d69-8672e15ddf8c?source=cve\nhttps://plugins.trac.wordpress.org/browser/fusion-builder/trunk/inc/helpers/class-fusion-builder-conditional-render-helper.php#L1531\nhttps://plugins.trac.wordpress.org/browser/fusion-builder/tags/3.15.0/inc/helpers/class-fusion-builder-conditional-render-helper.php#L1531\nhttps://plugins.trac.wordpress.org/browser/fusion-builder/trunk/shortcodes/fusion-widget.php#L44\nhttps://plugins.trac.wordpress.org/browser/fusion-builder/tags/3.15.0/shortcodes/fusion-widget.php#L44\nhttps://plugins.trac.wordpress.org/browser/fusion-builder/trunk/shortcodes/fusion-widget.php#L389\nhttps://plugins.trac.wordpress.org/browser/fusion-builder/tags/3.15.0/shortcodes/fusion-widget.php#L389\nhttps://plugins.trac.wordpress.org/browser/fusion-builder/trunk/inc/class-fusion-builder.php#L7551\nhttps://plugins.trac.wordpress.org/browser/fusion-builder/tags/3.15.0/inc/class-fusion-builder.php#L7551\nhttps://plugins.trac.wordpress.org/browser/fusion-builder/trunk/inc/helpers/class-fusion-builder-conditional-render-helper.php#L1083\nhttps://plugins.trac.wordpress.org/browser/fusion-builder/tags/3.15.0/inc/helpers/class-fusion-builder-conditional-render-helper.php#L1083\nhttps://avada.com/documentation/avada-changelog/",
    "id": "CVE-2026-6279",
    "bulletinFamily": "",
    "cwe": [
        "CWE-74"
    ],
    "cvelist": null,
    "sourceData": "themefusion Avada (Fusion) Builder 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Avada (Fusion) Builder",
    "version": "3.15.2",
    "vendor": "themefusion",
    "ai_description": "Unauthenticated Remote Code Execution via PHP Function Injection in Avada Builder plugin",
    "ai_severity": "Critical",
    "ai_vendor": "ThemeFusion",
    "ai_product": "Avada Builder",
    "ai_version": "3.15.2",
    "ai_score": 9.8
}

Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler_CVE-2026-6279