CVE-2026-6279
CriticalSummary
The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to unauthenticated remote code execution via PHP function injection in versions up to and including 3.15.2. This is due to passing attacker-controlled values directly to `call_user_func()` without allowlist validation.
Risk Assessment
Unauthenticated attackers can exploit this vulnerability to execute arbitrary code on the server, potentially leading to serious security breaches and data loss.
Recommendation
It is recommended to update the Avada Builder plugin to the latest version to mitigate this vulnerability. Additionally, consider implementing further security measures, such as restricting access to AJAX endpoints.
Original NVD description (English source)
The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards (`[fusion_post_cards]`) or Table of Contents (`[fusion_table_of_contents]`) element. This makes it possible for unauthenticated attackers to execute arbitrar

