Avada Builder (fusion-builder) Plugin Vulnerability (CVE-2026-6279)

Security Alert Summary

The Avada Builder (fusion-builder) plugin for WordPress contains an unauthenticated remote code execution vulnerability in versions up to and including 3.15.2. The issue arises when a base64-decoded JSON blob is used without allowlist validation and passed to call_user_func() in a conditional rendering helper. An attacker can reach the vulnerable code via the publicly exposed AJAX endpoint fusion_get_widget_markup, which is registered for unauthenticated users. A nonce used by the endpoint is deterministically exposed in the JavaScript output of pages containing certain shortcodes, enabling unauthenticated exploitation.

CVE Details

• CVE ID: CVE-2026-6279
• Affected component: Avada Builder (fusion-builder) plugin for WordPress
• Affected versions: Versions up to and including 3.15.2
• Published: May 21, 2026 5:16:23 AM UTC
• Last modified: May 21, 2026 3:19:30 PM UTC
• CVSS v3.1: Base score 9.8, Severity CRITICAL, Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Authentication / Privileges / User interaction: Authentication not required; Privileges required: None; User interaction: None
• Primary impact: Confidentiality: High; Integrity: High; Availability: High
• Weakness: CWE-74 (Injection)

Technical Details

According to the reported details, the vulnerability stems from the wp_conditional_tags case in Fusion_Builder_Conditional_Render_Helper::get_value(). The code accepts a base64-encoded JSON blob, decodes it, and passes attacker-controlled values directly to call_user_func() without performing an allowlist or validation of callable functions. This results in PHP function injection when untrusted input controls the target function.

The vulnerable execution path is reachable via the AJAX endpoint fusion_get_widget_markup, which is registered for non-privileged users through wp_ajax_nopriv_fusion_get_widget_markup. The endpoint is protected by a nonce named fusion_load_nonce, but that nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of public-facing pages that include the Post Cards ([fusion_post_cards]) or Table of Contents ([fusion_table_of_contents]) shortcodes. The combination of an exposed nonce and an unauthenticated AJAX registration permits unauthenticated attackers to invoke the endpoint and exercise the vulnerable code path.

The practical impact is the ability for an unauthenticated attacker to execute arbitrary PHP code on affected sites, limited to the context and privileges of the web server/PHP process. The exploitability is high because the attack vector is network-accessible, requires no authentication, and needs no user interaction.

How This Could Impact Your Website

In a typical site setup, the site owner and internal staff may rely on Avada Builder to render page components while external contractors or contributors add content. An unauthenticated attacker exploiting this vulnerability could execute code that exposes sensitive data, modifies stored content, or disrupts site availability. For example, attacker-controlled code could read configuration files or user data, leading to exposure of internal user email addresses, or alter content to insert phishing links targeting staff or customers. Because integrity and availability impacts are also high, the attacker could modify posts, inject backdoors, or cause service disruption that affects all users.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributor-level accounts and external contractors.
• Enforce strong passwords and enable two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins and themes.
• Monitor site activity and server logs for unusual behavior or unexpected requests to AJAX endpoints.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://avada.com/documentation/avada-changelog/
• https://plugins.trac.wordpress.org/browser/fusion-builder/tags/3.15.0/inc/class-fusion-builder.php#L7551
• https://plugins.trac.wordpress.org/browser/fusion-builder/tags/3.15.0/inc/helpers/class-fusion-builder-conditional-render-helper.php#L1083
• https://plugins.trac.wordpress.org/browser/fusion-builder/tags/3.15.0/inc/helpers/class-fusion-builder-conditional-render-helper.php#L1531
• https://plugins.trac.wordpress.org/browser/fusion-builder/tags/3.15.0/shortcodes/fusion-widget.php#L389
• https://plugins.trac.wordpress.org/browser/fusion-builder/tags/3.15.0/shortcodes/fusion-widget.php#L44
• https://plugins.trac.wordpress.org/browser/fusion-builder/trunk/inc/class-fusion-builder.php#L7551
• https://plugins.trac.wordpress.org/browser/fusion-builder/trunk/inc/helpers/class-fusion-builder-conditional-render-helper.php#L1083
• https://plugins.trac.wordpress.org/browser/fusion-builder/trunk/inc/helpers/class-fusion-builder-conditional-render-helper.php#L1531
• https://plugins.trac.wordpress.org/browser/fusion-builder/trunk/shortcodes/fusion-widget.php#L389
• https://plugins.trac.wordpress.org/browser/fusion-builder/trunk/shortcodes/fusion-widget.php#L44
• https://www.wordfence.com/threat-intel/vulnerabilities/id/5dc72d78-d47c-4b36-8d69-8672e15ddf8c?source=cve