Avada Builder RCE (CVE-2026-6279) Exposes WordPress Sites
The National Vulnerability Database reports a critical unauthenticated Remote Code Execution (RCE) vulnerability, CVE-2026-6279, in the Avada Builder (fusion-builder) plugin for WordPress. Affecting versions up to and including 3.15.2, this flaw stems from improper input validation within the Fusion_Builder_Conditional_Render_Helper::get_value() function. Specifically, attacker-controlled values from a base64-decoded JSON blob are passed directly to call_user_func() without any allowlist validation, leading to PHP Function Injection.
This RCE is exploitable by unauthenticated attackers via the fusion_get_widget_markup AJAX endpoint. Although protected by a nonce, the National Vulnerability Database highlights that this fusion_load_nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards or Table of Contents element. This trivial bypass allows for arbitrary code execution on vulnerable WordPress sites.
Rated with a CVSS score of 9.8 (CRITICAL), this vulnerability poses an extreme risk. The attacker’s calculus here is straightforward: no authentication, publicly exposed nonce, and direct function injection. This is a low-effort, high-impact attack vector that defenders must prioritize immediately. Organizations running Avada Builder on their WordPress instances are directly in the crosshairs.
What This Means For You
- If your organization uses the Avada Builder (fusion-builder) plugin on WordPress, you are critically exposed. Immediately identify all instances running versions up to and including 3.15.2 and apply the latest available patch. Audit your web server logs for any suspicious `fusion_get_widget_markup` AJAX endpoint activity, especially from unauthenticated sources, as this vulnerability allows full system compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-6279 - Avada Builder Unauthenticated RCE via PHP Function Injection
title: CVE-2026-6279 - Avada Builder Unauthenticated RCE via PHP Function Injection
id: scw-2026-05-21-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-6279 by targeting the `fusion_get_widget_markup` AJAX endpoint with a payload that attempts to leverage `call_user_func` with attacker-controlled data, indicative of PHP Function Injection within the Avada Builder plugin.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-6279/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-admin/admin-ajax.php'
cs-uri-query|contains:
- 'action=fusion_get_widget_markup'
cs-uri-query|contains:
- 'fusion_builder_data'
cs-uri-query|contains:
- 'call_user_func'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-6279 | RCE | Avada Builder (fusion-builder) plugin for WordPress versions <= 3.15.2 |
| CVE-2026-6279 | RCE | Vulnerable function: Fusion_Builder_Conditional_Render_Helper::get_value() via wp_conditional_tags case |
| CVE-2026-6279 | RCE | Exploitable AJAX endpoint: fusion_get_widget_markup (wp_ajax_nopriv_fusion_get_widget_markup) |
| CVE-2026-6279 | RCE | Vulnerable component: PHP Function Injection via call_user_func() with attacker-controlled values |
| CVE-2026-6279 | Auth Bypass | Nonce bypass: fusion_load_nonce deterministically exposed for user ID 0 in JavaScript output of pages with [fusion_post_cards] or [fusion_table_of_contents] elements |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 21, 2026 at 08:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-42396 — Insufficient Validation of Member Zone Data May Cause
CVE-2026-42396 — Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
CVE-2026-42002 — Concurrency and locking defects in
CVE-2026-42002 — Concurrency and locking defects in GSS-TSIG
CVE-2026-42001: Autoprimary SOA Queries Vulnerability
CVE-2026-42001 — Insufficient Validation of Autoprimary SOA Queries