Introduction
An unauthenticated remote code execution vulnerability in the Avada Builder plugin for WordPress puts roughly one million sites at risk of full server compromise through a single crafted AJAX request. CVE-2026-6279, carrying a CVSS score of 9.8, allows any internet visitor to execute arbitrary PHP functions on a vulnerable server without logging in, without user interaction, and with a nonce "protection" that is effectively no protection at all.
Avada Builder (also known as fusion-builder) is the page building component bundled with the Avada theme, developed by ThemeFusion. Avada is marketed as the number one selling WordPress website builder and powers approximately one million WordPress installations. It provides visual front end design and editing tools used by beginners, marketers, and professional web developers alike, making it one of the most widely deployed premium WordPress plugins in the ecosystem.
Technical Information
Root Cause: Unvalidated call_user_func()
The core of CVE-2026-6279 is a PHP Function Injection vulnerability (classified as CWE-74) in the file inc/helpers/class-fusion-builder-conditional-render-helper.php. Specifically, the wp_conditional_tags case within the Fusion_Builder_Conditional_Render_Helper::get_value() method, around line 1531, takes a function name extracted from a base64 decoded JSON blob in the render_logics shortcode attribute and passes it directly into PHP's call_user_func().
There is no allowlist, no blocklist, and no validation of any kind restricting which PHP functions can be invoked. An attacker who controls the function name and its arguments can specify dangerous callables such as system, passthru, or exec and have them execute arbitrary operating system commands on the server.
Attack Surface: Unauthenticated AJAX Endpoint
The vulnerable code path is reachable without any authentication due to two specific design decisions in the plugin:
-
AJAX endpoint registration (
shortcodes/fusion-widget.php, line 44): The handlerfusion_get_widget_markupis hooked towp_ajax_nopriv_fusion_get_widget_markup. Thenoprivhook in WordPress explicitly makes the endpoint available to unauthenticated visitors, meaning anyone on the internet can send requests to it. -
Nonce exposure (
inc/class-fusion-builder.php, line 7551): The endpoint is nominally protected by a nonce calledfusion_load_nonce. However, this nonce is generated for user ID 0, which represents the anonymous (unauthenticated) user in WordPress. Furthermore, this nonce value is deterministically embedded in the JavaScript output of any public facing page that renders a[fusion_post_cards]or[fusion_table_of_contents]shortcode element. Any visitor can simply view the page source to obtain a valid nonce.
Step by Step Attack Flow
The exploitation chain proceeds as follows:
-
The attacker visits a public page on the target WordPress site that contains either a Post Cards or Table of Contents element. These are common Avada Builder components used on blog listing pages, documentation pages, and similar content.
-
The attacker inspects the page's JavaScript output and extracts the
fusion_load_noncevalue. Because this nonce is generated for user ID 0, it is valid for any unauthenticated request. -
The attacker crafts a POST request to
wp-admin/admin-ajax.phpwith theactionparameter set tofusion_get_widget_markup. The request includes the scraped nonce and arender_logicsattribute containing a base64 encoded JSON blob. -
Inside the JSON blob, the attacker specifies a
wp_conditional_tagsentry where the function name is set to an arbitrary PHP function (for example,system) and the arguments contain the desired command to execute. -
The server processes the AJAX request, the
get_value()method decodes the JSON, and the attacker controlled function name and arguments are passed directly tocall_user_func(). -
The specified PHP function executes with the attacker's arguments, resulting in arbitrary code execution on the web server. From here, the attacker can read files, install backdoors, pivot to databases, or take complete control of the hosting environment.
The entire chain requires no authentication, no user interaction, and no special privileges. The only prerequisite is that the target site has at least one public page using a Post Cards or Table of Contents element, which is extremely common on Avada powered sites.
Patch Information
ThemeFusion addressed CVE-2026-6279 in Avada Builder version 3.15.3, shipped as part of the Avada 7.15.3 theme release on May 12, 2026. All versions from 0 through 3.15.2 remain vulnerable.
The patch targets the root cause by introducing allowlist validation on the function name before it reaches call_user_func(). Rather than permitting arbitrary callables, the patched get_value() method in class-fusion-builder-conditional-render-helper.php now checks the requested function against a predefined list of safe WordPress conditional tag functions (such as is_home, is_single, is_page, and similar). Any function name not present in this allowlist is rejected, preventing PHP function injection entirely.
Avada's official update page for version 7.15.3 confirms this fix with the note: "SECURITY: Fixed possible remote code execution via PHP function injection in the Widget component." The same release also bundled additional hardening measures, including improved output sanitization for base64 encoded parameters, a more robust regex for the fusion_code parameter, and tighter custom SVG upload checks. Those additional changes correspond to sibling CVEs rather than CVE-2026-6279 specifically.
It is important to note that version 3.15.2 (released April 13, 2026) addressed different vulnerabilities (CVE-2026-4798, a time based blind SQL injection, and partially CVE-2026-4782, an arbitrary file read) but did not fix the RCE function injection. Only version 3.15.3 contains the complete remediation for CVE-2026-6279.
For sites that cannot be patched immediately, administrators should deactivate the Avada Builder plugin entirely. This removes the vulnerable shortcode handler and the exposed AJAX endpoint from the attack surface. Administrators must also verify that their Avada theme is registered with a current ThemeFusion license, because Avada Builder updates are delivered through ThemeFusion's proprietary update channel rather than the standard WordPress.org directory. A lapsed license will prevent the 3.15.3 update from appearing in the WordPress dashboard.
Defenders should also monitor web application firewall logs for anomalous POST requests targeting the action=fusion_get_widget_markup endpoint, particularly those containing base64 encoded JSON payloads.
Affected Systems and Versions
The vulnerability affects the following:
| Component | Affected Versions | Fixed Version |
|---|---|---|
| Avada Builder (fusion-builder) plugin | All versions from 0 through 3.15.2 (inclusive) | 3.15.3 |
| Avada Theme (bundled with Avada Builder) | Versions shipping with Avada Builder up to 3.15.2 | 7.15.3 |
Any WordPress site running Avada Builder version 3.15.2 or earlier is vulnerable. The vulnerability is exploitable on sites where at least one public facing page contains a [fusion_post_cards] or [fusion_table_of_contents] shortcode element, as these elements cause the fusion_load_nonce to be exposed in the page's JavaScript output. However, even sites without these specific elements may have reduced but nonzero risk if the AJAX endpoint is reachable through other means.
Vendor Security History
Avada Builder has seen a cluster of security issues in recent releases. The following table summarizes the recent CVEs addressed in the 3.15.x release cycle:
| CVE ID | Vulnerability Type | Authentication Required | Affected Versions | Patched Version |
|---|---|---|---|---|
| CVE-2026-6279 | Remote Code Execution | No | Up to 3.15.2 | 3.15.3 |
| CVE-2026-4782 | Arbitrary File Read | Yes (Subscriber) | Up to 3.15.2 | 3.15.3 |
| CVE-2026-4798 | Time Based Blind SQL Injection | No | Up to 3.15.1 | 3.15.2 |
Administrators who updated to 3.15.2 to patch the SQL injection (CVE-2026-4798) remain vulnerable to both the arbitrary file read (CVE-2026-4782) and the critical RCE (CVE-2026-6279). Version 3.15.3 is the mandatory baseline for security across all three issues.
ThemeFusion has demonstrated responsiveness in addressing these issues, with version 3.15.2 released on April 13, 2026, and version 3.15.3 following on May 12, 2026. However, the pattern of multiple critical and high severity vulnerabilities in rapid succession warrants close attention from security teams managing Avada deployments.
References
- Wordfence Threat Intel: CVE-2026-6279
- Wordfence: Avada (Fusion) Builder <= 3.15.2 Unauthenticated RCE
- NVD: CVE-2026-6279
- CVE.org: CVE-2026-6279
- Avada Important Update Information
- Avada Changelog
- Fusion Builder Source: class-fusion-builder-conditional-render-helper.php (line 1531)
- Fusion Builder Source: class-fusion-builder-conditional-render-helper.php (line 1083)
- Fusion Builder Source: fusion-widget.php (line 44)
- Fusion Builder Source: class-fusion-builder.php (line 7551)
- BleepingComputer: Avada Builder WordPress Plugin Flaws



