CVE-2026-6279: Unauthenticated RCE in Avada Builder for WordPress

A critical (CVSS 9.8) PHP function injection flaw in the Avada Builder (fusion-builder) WordPress plugin lets unauthenticated attackers execute arbitrary code on affected sites running versions up to and including 3.15.2.

What Is It

CVE-2026-6279 is an unauthenticated Remote Code Execution vulnerability in the Avada Builder (fusion-builder) plugin for WordPress. The root cause lives in the wp_conditional_tags case of Fusion_Builder_Conditional_Render_Helper::get_value(), which passes attacker-controlled values from a base64-decoded JSON blob directly into PHP's call_user_func() with no allowlist validation. Wordfence classifies the weakness as CWE-74 (Injection).

The exploitable surface is the fusion_get_widget_markup AJAX endpoint, which is registered for unauthenticated users via wp_ajax_nopriv_fusion_get_widget_markup. The endpoint is gated only by a fusion_load_nonce token, but that nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page that renders a Post Cards ([fusion_post_cards]) or Table of Contents ([fusion_table_of_contents]) element, neutralizing the nonce as a security control.

Why It Matters

CVSS 3.1 base score is 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, no authentication, no user interaction, and full impact to confidentiality, integrity, and availability. Any site running an affected version of the plugin and exposing a public page with the relevant shortcodes effectively hands a remote PHP function call primitive to anonymous attackers, enabling full site takeover.

This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.

What's Vulnerable

• Product: Avada Builder (fusion-builder) plugin for WordPress
• Affected versions: All versions up to and including 3.15.2
• Trigger conditions: Public-facing pages containing [fusion_post_cards] or [fusion_table_of_contents] shortcodes, which expose the required nonce
• Vulnerable code paths: Fusion_Builder_Conditional_Render_Helper::get_value() and the fusion_get_widget_markup AJAX handler

Patch Status

Vendor source references point to the Avada changelog as the authoritative tracker for fixed releases. Administrators should consult the Avada changelog and update the fusion-builder plugin to a version newer than 3.15.2 as soon as a fixed release is available, and audit affected sites for signs of compromise.

Sources

• NVD, CVE-2026-6279
• Wordfence Threat Intel advisory
• Avada Changelog (vendor)
• fusion-builder source; Conditional Render Helper (L1083)
• fusion-builder source; Conditional Render Helper (L1531)
• fusion-builder source; fusion-widget.php (L389)
• fusion-builder source; class-fusion-builder.php (L7551)