Unauthenticated Remote Code Execution Vulnerability in Avada Builder Plugin for WordPress
CVE-2026-6279

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Avada (fusion) Builder
Vendor: CVE Published:; 21 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-6279?

The Avada Builder (fusion-builder) plugin for WordPress is susceptible to a Remote Code Execution vulnerability that allows unauthenticated attackers to exploit the system via PHP Function Injection. This issue arises from a flaw in the handling of attacker-controlled input within the Fusion_Builder_Conditional_Render_Helper::get_value() function. When the fusion_get_widget_markup AJAX endpoint is called, the lack of proper allowlist validation permits malicious users to execute arbitrary code on vulnerable websites, compromising security. The vulnerability is exacerbated as the nonce validation is weak, exposing it through the public-facing pages utilizing specific shortcode elements.

Affected Version(s)

Avada (Fusion) Builder 0 <= 3.15.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-6279
Created by zycoder0day

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/fusion-builder...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 23, 2026
👾
Exploit known to exist
May 23, 2026
Vulnerability published
May 21, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Tin Pham

Trong Pham

Hao Ngo

CVE-2026-6279 Data

JSON