ZeroPath at Black Hat USA 2026

Avada Builder CVE-2026-6279: Brief Summary of Unauthenticated RCE via PHP Function Injection

A brief summary of CVE-2026-6279, a critical unauthenticated remote code execution vulnerability in the Avada Builder WordPress plugin affecting up to one million sites. Includes technical details, patch information, and vendor context.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-20

Avada Builder CVE-2026-6279: Brief Summary of Unauthenticated RCE via PHP Function Injection
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated remote code execution vulnerability in the Avada Builder plugin for WordPress puts roughly one million sites at risk of full server compromise through a single crafted AJAX request. CVE-2026-6279, carrying a CVSS score of 9.8, allows any internet visitor to execute arbitrary PHP functions on a vulnerable server without logging in, without user interaction, and with a nonce "protection" that is effectively no protection at all.

Avada Builder (also known as fusion-builder) is the page building component bundled with the Avada theme, developed by ThemeFusion. Avada is marketed as the number one selling WordPress website builder and powers approximately one million WordPress installations. It provides visual front end design and editing tools used by beginners, marketers, and professional web developers alike, making it one of the most widely deployed premium WordPress plugins in the ecosystem.

Technical Information

Root Cause: Unvalidated call_user_func()

The core of CVE-2026-6279 is a PHP Function Injection vulnerability (classified as CWE-74) in the file inc/helpers/class-fusion-builder-conditional-render-helper.php. Specifically, the wp_conditional_tags case within the Fusion_Builder_Conditional_Render_Helper::get_value() method, around line 1531, takes a function name extracted from a base64 decoded JSON blob in the render_logics shortcode attribute and passes it directly into PHP's call_user_func().

There is no allowlist, no blocklist, and no validation of any kind restricting which PHP functions can be invoked. An attacker who controls the function name and its arguments can specify dangerous callables such as system, passthru, or exec and have them execute arbitrary operating system commands on the server.

Attack Surface: Unauthenticated AJAX Endpoint

The vulnerable code path is reachable without any authentication due to two specific design decisions in the plugin:

  1. AJAX endpoint registration (shortcodes/fusion-widget.php, line 44): The handler fusion_get_widget_markup is hooked to wp_ajax_nopriv_fusion_get_widget_markup. The nopriv hook in WordPress explicitly makes the endpoint available to unauthenticated visitors, meaning anyone on the internet can send requests to it.

  2. Nonce exposure (inc/class-fusion-builder.php, line 7551): The endpoint is nominally protected by a nonce called fusion_load_nonce. However, this nonce is generated for user ID 0, which represents the anonymous (unauthenticated) user in WordPress. Furthermore, this nonce value is deterministically embedded in the JavaScript output of any public facing page that renders a [fusion_post_cards] or [fusion_table_of_contents] shortcode element. Any visitor can simply view the page source to obtain a valid nonce.

Step by Step Attack Flow

The exploitation chain proceeds as follows:

  1. The attacker visits a public page on the target WordPress site that contains either a Post Cards or Table of Contents element. These are common Avada Builder components used on blog listing pages, documentation pages, and similar content.

  2. The attacker inspects the page's JavaScript output and extracts the fusion_load_nonce value. Because this nonce is generated for user ID 0, it is valid for any unauthenticated request.

  3. The attacker crafts a POST request to wp-admin/admin-ajax.php with the action parameter set to fusion_get_widget_markup. The request includes the scraped nonce and a render_logics attribute containing a base64 encoded JSON blob.

  4. Inside the JSON blob, the attacker specifies a wp_conditional_tags entry where the function name is set to an arbitrary PHP function (for example, system) and the arguments contain the desired command to execute.

  5. The server processes the AJAX request, the get_value() method decodes the JSON, and the attacker controlled function name and arguments are passed directly to call_user_func().

  6. The specified PHP function executes with the attacker's arguments, resulting in arbitrary code execution on the web server. From here, the attacker can read files, install backdoors, pivot to databases, or take complete control of the hosting environment.

The entire chain requires no authentication, no user interaction, and no special privileges. The only prerequisite is that the target site has at least one public page using a Post Cards or Table of Contents element, which is extremely common on Avada powered sites.

Patch Information

ThemeFusion addressed CVE-2026-6279 in Avada Builder version 3.15.3, shipped as part of the Avada 7.15.3 theme release on May 12, 2026. All versions from 0 through 3.15.2 remain vulnerable.

The patch targets the root cause by introducing allowlist validation on the function name before it reaches call_user_func(). Rather than permitting arbitrary callables, the patched get_value() method in class-fusion-builder-conditional-render-helper.php now checks the requested function against a predefined list of safe WordPress conditional tag functions (such as is_home, is_single, is_page, and similar). Any function name not present in this allowlist is rejected, preventing PHP function injection entirely.

Avada's official update page for version 7.15.3 confirms this fix with the note: "SECURITY: Fixed possible remote code execution via PHP function injection in the Widget component." The same release also bundled additional hardening measures, including improved output sanitization for base64 encoded parameters, a more robust regex for the fusion_code parameter, and tighter custom SVG upload checks. Those additional changes correspond to sibling CVEs rather than CVE-2026-6279 specifically.

It is important to note that version 3.15.2 (released April 13, 2026) addressed different vulnerabilities (CVE-2026-4798, a time based blind SQL injection, and partially CVE-2026-4782, an arbitrary file read) but did not fix the RCE function injection. Only version 3.15.3 contains the complete remediation for CVE-2026-6279.

For sites that cannot be patched immediately, administrators should deactivate the Avada Builder plugin entirely. This removes the vulnerable shortcode handler and the exposed AJAX endpoint from the attack surface. Administrators must also verify that their Avada theme is registered with a current ThemeFusion license, because Avada Builder updates are delivered through ThemeFusion's proprietary update channel rather than the standard WordPress.org directory. A lapsed license will prevent the 3.15.3 update from appearing in the WordPress dashboard.

Defenders should also monitor web application firewall logs for anomalous POST requests targeting the action=fusion_get_widget_markup endpoint, particularly those containing base64 encoded JSON payloads.

Affected Systems and Versions

The vulnerability affects the following:

ComponentAffected VersionsFixed Version
Avada Builder (fusion-builder) pluginAll versions from 0 through 3.15.2 (inclusive)3.15.3
Avada Theme (bundled with Avada Builder)Versions shipping with Avada Builder up to 3.15.27.15.3

Any WordPress site running Avada Builder version 3.15.2 or earlier is vulnerable. The vulnerability is exploitable on sites where at least one public facing page contains a [fusion_post_cards] or [fusion_table_of_contents] shortcode element, as these elements cause the fusion_load_nonce to be exposed in the page's JavaScript output. However, even sites without these specific elements may have reduced but nonzero risk if the AJAX endpoint is reachable through other means.

Vendor Security History

Avada Builder has seen a cluster of security issues in recent releases. The following table summarizes the recent CVEs addressed in the 3.15.x release cycle:

CVE IDVulnerability TypeAuthentication RequiredAffected VersionsPatched Version
CVE-2026-6279Remote Code ExecutionNoUp to 3.15.23.15.3
CVE-2026-4782Arbitrary File ReadYes (Subscriber)Up to 3.15.23.15.3
CVE-2026-4798Time Based Blind SQL InjectionNoUp to 3.15.13.15.2

Administrators who updated to 3.15.2 to patch the SQL injection (CVE-2026-4798) remain vulnerable to both the arbitrary file read (CVE-2026-4782) and the critical RCE (CVE-2026-6279). Version 3.15.3 is the mandatory baseline for security across all three issues.

ThemeFusion has demonstrated responsiveness in addressing these issues, with version 3.15.2 released on April 13, 2026, and version 3.15.3 following on May 12, 2026. However, the pattern of multiple critical and high severity vulnerabilities in rapid succession warrants close attention from security teams managing Avada deployments.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization