CVE-2026-6279

The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the wp conditional tags case in Fusion Builder Conditional Render Helper::get value() passing attacker-controlled values from a base64-decoded JSON blob directly to call user func() without any allowlist validation. This is exploitable by unauthenticated attackers through the fusion get widget markup AJAX endpoint, which is registered for non-privileged (unauthenticated) users via wp ajax nopriv fusion get widget markup. The endpoint is protected only by a nonce (fusion load nonce), but this nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards ([fusion post cards]) or Table of Contents ([fusion table of contents]) element. This makes it possible for unauthenticated attackers to execute arbitrary code on affected sites.