Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

CVE-2026-6279: Avada Builder plugin for WordPress allows attackers to run code remotely

CVE-2026-6279

Summary

The Avada Builder plugin for WordPress allows attackers to run code on a website without needing a password. This is a serious security risk because attackers can do anything they want with the website. To fix this, update the plugin to version 3.15.3 or later.

Original title

Original description

The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards (`[fusion_post_cards]`) or Table of Contents (`[fusion_table_of_contents]`) element. This makes it possible for unauthenticated attackers to execute arbitrary code on affected sites.

nvd CVSS3.1 9.8

Vulnerability type

CWE-74 Injection

Published: 21 May 2026 · Updated: 30 May 2026 · First seen: 21 May 2026