- wordpress
- avada
- rce
- cve
- php
- fusion-builder
news
Avada Builder WordPress Unauthenticated RCE (CVE-2026-6279)
Sploitus-indexed PoC abuses fusion_get_widget_markup AJAX with leaked nonce to call_user_func arbitrary PHP functions.
Summary
CVE-2026-6279 is an unauthenticated remote code execution flaw in the Avada Builder (fusion-builder) WordPress plugin (versions ≤ 3.15.2). The fusion_get_widget_markup AJAX handler — registered via wp_ajax_nopriv_ — processes a base64-encoded render_logics payload whose wp_conditional_tags branch passes attacker-controlled function names and arguments directly to call_user_func() without an allowlist. Protection relies on fusion_load_nonce, but that nonce is deterministically embedded in public pages containing [fusion_post_cards] or [fusion_table_of_contents] shortcodes. A PoC is indexed on Sploitus. CVSS 9.8.
OFFSITE.DARK cites Sploitus as aggregation source only.
Technical Details
| Aspect | Detail |
|---|---|
| Sink | Fusion_Builder_Conditional_Render_Helper::get_value() → call_user_func() |
| Entry | admin-ajax.php?action=fusion_get_widget_markup (nopriv) |
| Nonce | fusion_load_nonce (user ID 0, leaked in page JS) |
| Affected | fusion-builder ≤ 3.15.2 |
| Patched | 3.15.3 |
| CWE | CWE-94 / function injection via downstream call_user_func |
Attack flow:
Fetch public page with Post Cards / TOC shortcode
│
▼
Extract fusion_load_nonce from inline JS
│
▼
POST render_logics (base64 JSON) with wp_conditional_tags clause
│
▼
call_user_func('system', 'id') executes server-side
│
▼
Output returned in AJAX response body
Indexed PoCs demonstrate system, passthru, exec, and shell_exec invocation.
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-6279 |
| CVSS (Sploitus) | 9.8 Critical |
| Vendor fix | Avada Builder ≥ 3.15.3 |
| Sploitus date | 2026-06-13 |
| Public PoC repo | xxconi/CVE-2026-6279 |
Impact
Unauthenticated full site compromise on WordPress installations running vulnerable Avada Builder with exposed shortcode elements. Avada is among the highest-install-base commercial themes; fusion-builder ships with it. Impact includes database access, user credential theft, malware distribution, and hosting abuse.
Mitigation
- Update fusion-builder to 3.15.3+ immediately.
- Remove Post Cards and Table of Contents elements from public pages until patched (reduces nonce exposure).
- Block unauthenticated
action=fusion_get_widget_markupat WAF where business allows. - Emergency workaround: unregister
wp_ajax_nopriv_fusion_get_widget_markupfor anonymous users via custom plugin code. - Monitor
admin-ajax.phpPOSTs with base64render_logicsand PHP error logs referencing unexpectedcall_user_functargets.
Sources
- Sploitus — CVE-2026-6279 (index reference)
- NVD — CVE-2026-6279