Hao Ngo

**Name of the Vulnerable Software and Affected Versions** Avada Builder (fusion-builder) versions prior to 3.15.3 **Description** Unauthenticated remote code execution is possible via PHP Function Injection. The issue occurs because the `wp conditional tags` case in the `Fusion Builder Conditional Render Helper::get value()` function passes attacker-controlled values from a base64-decoded JSON blob directly to `call user func()` without allowlist validation. This can be exploited through the 'fusion get widget markup' AJAX endpoint, which is registered for unauthenticated users via `wp ajax nopriv fusion get widget markup`. Although the endpoint is protected by a nonce `fusion load nonce`, this value is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public page containing a Post Cards (`[fusion post cards]`) or Table of Contents (`[fusion table of contents]`) element. **Recommendations** Update the plugin to a version later than 3.15.2. As a temporary workaround, restrict access to the 'fusion get widget markup' AJAX endpoint or remove Post Cards and Table of Contents elements from public-facing pages to prevent the exposure of the `fusion load nonce`.