PT-2026-42396 · WordPress · Avada Builder

Hao Ngo

+2

·

Published

2026-05-21

·

Updated

2026-05-23

·

CVE-2026-6279

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Avada Builder (fusion-builder) versions prior to 3.15.3
Description Unauthenticated remote code execution is possible via PHP Function Injection. The issue occurs because the wp conditional tags case in the Fusion Builder Conditional Render Helper::get value() function passes attacker-controlled values from a base64-decoded JSON blob directly to call user func() without allowlist validation. This can be exploited through the 'fusion get widget markup' AJAX endpoint, which is registered for unauthenticated users via wp ajax nopriv fusion get widget markup. Although the endpoint is protected by a nonce fusion load nonce, this value is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public page containing a Post Cards ([fusion post cards]) or Table of Contents ([fusion table of contents]) element.
Recommendations Update the plugin to a version later than 3.15.2. As a temporary workaround, restrict access to the 'fusion get widget markup' AJAX endpoint or remove Post Cards and Table of Contents elements from public-facing pages to prevent the exposure of the fusion load nonce.

Fix

RCE

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6279

Affected Products

Avada Builder