PT-2026-42396 · WordPress · Avada Builder
Hao Ngo
+2
·
Published
2026-05-21
·
Updated
2026-05-23
·
CVE-2026-6279
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Avada Builder (fusion-builder) versions prior to 3.15.3
Description
Unauthenticated remote code execution is possible via PHP Function Injection. The issue occurs because the
wp conditional tags case in the Fusion Builder Conditional Render Helper::get value() function passes attacker-controlled values from a base64-decoded JSON blob directly to call user func() without allowlist validation. This can be exploited through the 'fusion get widget markup' AJAX endpoint, which is registered for unauthenticated users via wp ajax nopriv fusion get widget markup. Although the endpoint is protected by a nonce fusion load nonce, this value is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public page containing a Post Cards ([fusion post cards]) or Table of Contents ([fusion table of contents]) element.Recommendations
Update the plugin to a version later than 3.15.2.
As a temporary workaround, restrict access to the 'fusion get widget markup' AJAX endpoint or remove Post Cards and Table of Contents elements from public-facing pages to prevent the exposure of the
fusion load nonce.Fix
RCE
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Avada Builder