CVE-2026-6279 Overview
CVE-2026-6279 is an unauthenticated remote code execution (RCE) vulnerability in the Avada Builder (fusion-builder) plugin for WordPress. The flaw affects all versions up to and including 3.15.2. The wp_conditional_tags case in Fusion_Builder_Conditional_Render_Helper::get_value() passes attacker-controlled values from a base64-decoded JSON blob directly to call_user_func() without allowlist validation. Attackers reach the sink through the fusion_get_widget_markup AJAX endpoint registered via wp_ajax_nopriv_fusion_get_widget_markup. This endpoint is reachable by unauthenticated users and protected only by a fusion_load_nonce value that is leaked on any public page rendering a Post Cards or Table of Contents element.
Critical Impact
Unauthenticated attackers can execute arbitrary PHP code on vulnerable WordPress sites, leading to full site compromise.
Affected Products
- Avada Builder (fusion-builder) plugin for WordPress, versions up to and including 3.15.2
- WordPress sites running the Avada theme with the bundled Fusion Builder plugin
- Public-facing pages containing the [fusion_post_cards] or [fusion_table_of_contents] shortcodes
Discovery Timeline
- 2026-05-21 - CVE-2026-6279 published to NVD
- 2026-05-21 - Last updated in NVD database
Technical Details for CVE-2026-6279
Vulnerability Analysis
The vulnerability is a PHP Function Injection flaw classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The Avada Builder plugin exposes an AJAX action, fusion_get_widget_markup, intended to render widget markup on demand. The handler routes specific render requests through Fusion_Builder_Conditional_Render_Helper::get_value(). Within that helper, the wp_conditional_tags branch decodes a base64 JSON payload supplied by the client and forwards the resulting string into call_user_func() without restricting which functions can be invoked.
Because no allowlist or signature validation is applied, the attacker controls the first argument to call_user_func(). Any callable PHP function reachable in the WordPress runtime can be invoked, including functions that execute arbitrary commands or write files. The result is direct arbitrary code execution under the web server user context.
Root Cause
The root cause is unsafe use of call_user_func() with untrusted input. The helper trusts client-supplied data after base64 decoding and JSON parsing, treating it as a legitimate callback identifier. No type check, function allowlist, or capability check restricts which function is dispatched.
Attack Vector
The endpoint registers under wp_ajax_nopriv_fusion_get_widget_markup, which WordPress exposes to unauthenticated visitors. Access is gated only by the fusion_load_nonce token. WordPress generates this nonce for user ID 0 (the unauthenticated user), and the plugin embeds it deterministically into the JavaScript output of any public page rendering a Post Cards or Table of Contents element. An attacker fetches such a page, extracts the nonce, then submits a crafted POST request to admin-ajax.php containing a base64-encoded JSON payload that resolves to an arbitrary PHP function name and arguments.
For technical details on the affected code paths, refer to the WordPress Fusion Render Helper Code and the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-6279
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php with action=fusion_get_widget_markup originating from unauthenticated sources
- Request bodies containing base64-encoded JSON referencing PHP functions such as system, exec, passthru, shell_exec, assert, or eval
- Unexpected PHP processes spawned by the web server user, or new files written under the WordPress webroot (web shells)
- Outbound network connections initiated by the php-fpm or web server process to attacker-controlled hosts
Detection Strategies
- Inspect web server access logs for high-frequency fusion_get_widget_markup requests with large payload sizes
- Monitor for child processes of the web server executing shell utilities (sh, bash, wget, curl)
- Apply file integrity monitoring across the wp-content/ directory to detect newly written PHP files
- Use a Web Application Firewall (WAF) rule that blocks fusion_get_widget_markup requests carrying wp_conditional_tags payloads from unauthenticated sources
Monitoring Recommendations
- Centralize WordPress access and PHP error logs into a SIEM and alert on anomalous AJAX usage patterns
- Track plugin version inventories across managed WordPress instances to identify Fusion Builder versions <= 3.15.2
- Correlate nonce-bearing AJAX requests with downstream process execution telemetry on the host
How to Mitigate CVE-2026-6279
Immediate Actions Required
- Update the Avada Builder (fusion-builder) plugin to the latest patched release published by ThemeFusion as documented in the Avada Changelog
- If immediate patching is not possible, disable the Avada Builder plugin or remove [fusion_post_cards] and [fusion_table_of_contents] shortcodes from all public-facing content
- Audit the WordPress site for web shells, unauthorized administrator accounts, and modified core files
- Rotate WordPress secret keys (wp-config.php salts) and credentials for any service accessible from the compromised host
Patch Information
ThemeFusion has released a fixed version of the Avada Builder plugin addressing the unsafe call_user_func() invocation. Site administrators should upgrade beyond version 3.15.2. Review the Avada Changelog Documentation and the Wordfence Vulnerability Report for the specific fixed version and remediation details.
Workarounds
- Deploy a WAF rule that drops POST requests to admin-ajax.php where action=fusion_get_widget_markup and the source is unauthenticated
- Remove the Post Cards and Table of Contents elements from public pages until the plugin is updated to prevent nonce leakage
- Restrict access to /wp-admin/admin-ajax.php from untrusted networks using upstream proxy controls where feasible
# Example WAF/nginx rule to block the vulnerable AJAX action
location = /wp-admin/admin-ajax.php {
if ($request_method = POST) {
if ($request_body ~* "action=fusion_get_widget_markup") {
return 403;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
