CVE-2026-6279 · The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in

01 · The Real Story

This is a front-door lock with the spare key hidden under only some welcome mats

CVE-2026-6279 is a PHP function-injection bug in Avada Builder (fusion-builder) affecting versions <= 3.15.2, fixed in 3.15.3. The vulnerable path takes attacker-controlled data from a base64-decoded JSON blob, feeds it into call_user_func(), and reaches it through the unauthenticated fusion_get_widget_markup AJAX handler. On paper that is classic pre-auth RCE with full site compromise potential.

The vendor's 9.8/CRITICAL score is technically defensible, but operationally a bit hot. The deciding friction is that the endpoint is protected by a nonce which, per Wordfence, becomes harvestable only when a public page exposes JavaScript for specific Avada elements like Post Cards or Table of Contents. That means this is not 'every vulnerable host on the internet falls over instantly'; it's still very serious, but real-world reach is narrower than a generic unauthenticated RCE.

"Pre-auth RCE is bad, but this one still needs a leaked nonce from specific public Avada elements."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Identify an Avada target with the right public widget

An attacker starts with commodity web recon using tools like httpx or curl to fingerprint WordPress and Avada. They then look for public pages rendering Avada components that expose the fusion_load_nonce in page JavaScript, specifically the elements called out by Wordfence.

Conditions required:

Target runs WordPress with Avada Builder installed
Target version is <= 3.15.2
A public page uses a nonce-leaking Avada element such as Post Cards or Table of Contents

Where this breaks in practice:

Not every Avada site exposes those elements publicly
CDN/WAF caching and minification can make fingerprinting and nonce extraction less reliable
Some sites may run Avada but not the vulnerable builder feature path in any public page

Detection/coverage: Version-based scanners like WPScan can flag fusion-builder < 3.15.3, but they generally do not prove the nonce-leaking widget is present.

STEP 02

Harvest the nonce

Using a browser, curl, or a headless scraper, the attacker pulls the public page source and extracts the fusion_load_nonce. This is the key gating condition that turns a nominally protected AJAX action into a remotely reachable one.

Conditions required:

Nonce is present in publicly retrievable page output
Attacker can parse client-side JavaScript or HTML responses

Where this breaks in practice:

Nonce exposure depends on page composition, not just plugin version
Some themes, cache layers, or customizations may suppress or alter client-side output

Detection/coverage: Normal page fetches blend into background traffic; this step is hard to distinguish from benign crawling unless you baseline unusual repeated pulls of Avada-heavy pages.

STEP 03

Reach the vulnerable AJAX handler

The attacker sends a crafted request to WordPress admin-ajax.php for fusion_get_widget_markup, typically with curl, Burp Suite, or a custom script. The request carries the harvested nonce and attacker-controlled data that flows into the vulnerable conditional-render logic.

Conditions required:

/wp-admin/admin-ajax.php is internet reachable
The wp_ajax_nopriv_fusion_get_widget_markup action is enabled
Request passes whatever superficial validation the site or WAF applies

Where this breaks in practice:

Some WAFs or reverse proxies may block obviously malformed payloads or noisy automation
Rate limits and bot controls can slow mass exploitation

Detection/coverage: Web logs can catch spikes in POSTs to admin-ajax.php with action=fusion_get_widget_markup; generic WordPress attack telemetry often sees this path, but precise signature coverage varies.

STEP 04

Trigger function injection and land code execution

The exploit path abuses the wp_conditional_tags handling so attacker-supplied values reach call_user_func() without an allowlist. Successful exploitation gives code execution in the PHP/WordPress context, after which common follow-on tooling is a PHP webshell or plugin/theme file write for persistence.

Conditions required:

Application executes the vulnerable code path exactly as described by Wordfence
PHP execution context has sufficient permissions to modify files or run follow-on payloads

Where this breaks in practice:

Hardened file permissions, read-only containers, or immutable deploys can reduce post-exploitation persistence options
EDR/FIM on the web tier can catch the noisy second stage even if the initial bug lands

Detection/coverage: This is where defenders have the best shot: webshell signatures, new PHP file creation, plugin/theme tampering alerts, and suspicious child-process or outbound activity from php-fpm/Apache.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation found in CISA KEV or the primary-source review set as of 2026-05-29.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities catalog.
PoC availability	No authoritative GitHub PoC was located in search, but third-party exploit tracking and PoC-style writeups exist on Sploitus/Atomic Edge. Treat weaponization risk as credible, not yet mainstream.
EPSS	Prompt provided 0.00138. CIRCL's EPSS mirror showed 0.00105 / 28.022 percentile on 2026-05-26, reinforcing that mass exploitation likelihood was low at publication time.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` means network-reachable, no auth, no user interaction, and full CIA impact if the vulnerable path is exposed.
Affected versions	`Avada Builder (fusion-builder) <= 3.15.2`.
Fixed version	Vendor fix shipped in Avada 7.15.3 / Avada Builder 3.15.3 on 2026-05-12.
Exposure population	Avada claims roughly 1.06M customers / 1M+ website owners, so the product family is widespread. But reachable exploit population is narrower because the public nonce leak depends on specific Avada elements being rendered.
Disclosure timeline	Vendor says the fix was released 2026-05-12; public CVE publication followed on 2026-05-21. CIRCL shows vendor-notified 2026-04-15.
Researchers	Credited by Wordfence/CVE data to Tin Pham, Trong Pham, and Hao Ngo.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.7/10)

The biggest downward pressure is the public nonce-leak prerequisite: exploitation is not universal across all vulnerable Avada installs, only those exposing the right front-end elements. This is still a serious internet-facing RCE because the product footprint is large and successful exploitation yields full WordPress-side compromise with no authentication.

HIGH Affected version range and fixed version

MEDIUM Operational reachability assumptions across real Avada deployments

MEDIUM Current exploitation prevalence

Why this verdict

Start at 9.8: vendor scoring is reasonable because the sink is pre-auth network RCE with full impact.
Downward adjustment for prerequisite exposure: the attacker does not just need a vulnerable plugin; they need a public page that leaks the nonce through specific Avada elements. That is a real deployment filter, not paperwork.
No post-initial-access friction: no credentials, no internal foothold, and no victim click are required once the nonce is obtainable, so this stays well above MEDIUM.
Large blast radius on successful compromise: WordPress/PHP code execution usually means database access, credential theft, content tampering, webshells, and pivot potential from a public web tier.
Current threat signals are soft: no KEV listing, low EPSS, and no strong primary-source evidence of live exploitation keep this out of CRITICAL-for-everyone territory.

Why not higher?

I am not calling this CRITICAL because the exploit chain is narrower than the raw CVSS suggests. The nonce must be exposed through specific public Avada elements, and that requirement materially reduces the reachable population. With no KEV listing or credible evidence of broad exploitation yet, 'patch immediately within hours' is not justified for every estate.

Why not lower?

I am not pushing this to MEDIUM because the attacker still needs no auth and no user interaction. When the prerequisites are met, the outcome is full code execution on an internet-facing CMS component that commonly sits in production DMZs and marketing sites with business-critical data and credentials.

05 · Compensating Control

What to do — in priority order.

Block the vulnerable AJAX action at the edge — Add a WAF or reverse-proxy rule to deny or tightly challenge requests to wp-admin/admin-ajax.php carrying action=fusion_get_widget_markup from untrusted clients. Do this as the primary temporary control and deploy it within 30 days if patching cannot complete first.
Hunt for public nonce exposure — Enumerate Avada sites and identify pages rendering Post Cards or Table of Contents elements, because those are the reachability amplifiers Wordfence called out. Use that output to prioritize exposed internet sites first and complete the review within 30 days.
Tighten web-tier file integrity monitoring — Alert on new or modified PHP under wp-content/plugins, wp-content/themes, uploads directories, and drop-in files. This will not stop initial exploitation, but it does catch the common persistence step; deploy within 30 days.
Constrain PHP write paths — Where architecture allows, reduce PHP's ability to write to plugin and theme directories, or move sites to immutable deploy patterns. This shrinks post-exploitation persistence even if the bug lands; implement within 30 days on high-value internet-facing sites.
Increase logging on admin-ajax.php — Capture full request metadata, response codes, source IPs, and user agents for WordPress AJAX endpoints, especially fusion_get_widget_markup. This improves detection and retrospective scoping; enable within 30 days.

What doesn't work

MFA does nothing here because the attack is pre-auth against a public AJAX endpoint.
Hiding /wp-admin or changing login URLs does not solve it because admin-ajax.php` remains the reachable surface.
Only patching WordPress core does not help; the vulnerable component is the Avada Builder plugin code.
Relying on nonce presence as protection is false comfort here because the nonce can be harvested from public output on specific pages.

06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host as a user with read access to the web root; root is not required unless filesystem permissions are tight. Invoke it as bash check-avada-cve-2026-6279.sh /var/www/html or point it at a higher-level web directory; it will search for fusion-builder/fusion-builder.php, read the plugin version, and print VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-avada-cve-2026-6279.sh
# Detects whether Avada Builder (fusion-builder) is vulnerable to CVE-2026-6279
# Affected: <= 3.15.2
# Fixed:    >= 3.15.3
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / plugin not found / could not parse

set -u

TARGET_ROOT="${1:-.}"
AFFECTED_MAX="3.15.2"

if ! command -v find >/dev/null 2>&1; then
  echo "UNKNOWN - required command 'find' not available"
  exit 2
fi

PLUGIN_FILE="$(find "$TARGET_ROOT" -type f -path '*/wp-content/plugins/fusion-builder/fusion-builder.php' 2>/dev/null | head -n 1)"

if [ -z "$PLUGIN_FILE" ]; then
  # Try a broader fallback for non-standard layouts
  PLUGIN_FILE="$(find "$TARGET_ROOT" -type f -name 'fusion-builder.php' 2>/dev/null | grep '/fusion-builder/' | head -n 1)"
fi

if [ -z "$PLUGIN_FILE" ]; then
  echo "UNKNOWN - fusion-builder plugin file not found under $TARGET_ROOT"
  exit 2
fi

VERSION_LINE="$(grep -iE '^\s*Version\s*:' "$PLUGIN_FILE" 2>/dev/null | head -n 1)"
VERSION="$(printf '%s' "$VERSION_LINE" | sed -E 's/^\s*Version\s*:\s*//I' | tr -d '\r' | xargs)"

if [ -z "$VERSION" ]; then
  echo "UNKNOWN - could not parse plugin version from $PLUGIN_FILE"
  exit 2
fi

compare_with_php() {
  php -r '
    $v=$argv[1];
    $max=$argv[2];
    if (version_compare($v, $max, "<=")) { exit(1); }
    exit(0);
  ' "$1" "$2"
}

compare_with_sortv() {
  local lowest
  lowest="$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n 1)"
  [ "$lowest" = "$1" ]
}

IS_VULN=2
if command -v php >/dev/null 2>&1; then
  if compare_with_php "$VERSION" "$AFFECTED_MAX"; then
    IS_VULN=0
  else
    rc=$?
    if [ "$rc" -eq 1 ]; then
      IS_VULN=1
    fi
  fi
else
  if compare_with_sortv "$VERSION" "$AFFECTED_MAX"; then
    IS_VULN=1
  else
    IS_VULN=0
  fi
fi

case "$IS_VULN" in
  1)
    echo "VULNERABLE - Avada Builder version $VERSION detected at $PLUGIN_FILE (affected <= $AFFECTED_MAX)"
    exit 1
    ;;
  0)
    echo "PATCHED - Avada Builder version $VERSION detected at $PLUGIN_FILE (fixed >= 3.15.3)"
    exit 0
    ;;
  *)
    echo "UNKNOWN - comparison failed for version $VERSION at $PLUGIN_FILE"
    exit 2
    ;;
esac

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, pull a list of every internet-facing WordPress site running Avada Builder and sort them into two buckets: publicly exposed sites likely rendering the nonce-leaking elements first, then the rest of the Avada estate. For this HIGH reassessment, the noisgate mitigation SLA is within 30 days for temporary controls like edge blocking of action=fusion_get_widget_markup and increased admin-ajax.php monitoring, while the noisgate remediation SLA is within 180 days for upgrading to 3.15.3+; in practice, your exposed marketing and e-commerce sites should be patched well before that long-tail deadline.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.