PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6279 themefusion CVE debrief

CVE-2026-6279 describes a critical unauthenticated remote code execution issue in the Avada Builder (fusion-builder) WordPress plugin. The core problem is attacker-controlled data being passed from a base64-decoded JSON blob into call_user_func() without allowlist validation in the wp_conditional_tags path. Because the vulnerable logic is reachable through the non-privileged fusion_get_widget_markup AJAX endpoint, an attacker can reach code execution without an authenticated session when the required nonce is available. The supplied record states that nonce exposure is deterministic on public pages containing certain Avada elements, which makes the issue especially dangerous for Internet-facing WordPress sites.

Vendor
themefusion
Product
Avada (Fusion) Builder
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

WordPress administrators and developers running the Avada Builder / fusion-builder plugin, especially sites that use Post Cards ([fusion_post_cards]) or Table of Contents ([fusion_table_of_contents]) elements on public pages. Security teams should treat any exposed WordPress instance with this plugin as high priority until it is confirmed patched.

Technical summary

The supplied CVE record and linked plugin references indicate that Fusion_Builder_Conditional_Render_Helper::get_value() handles the wp_conditional_tags case by forwarding attacker-influenced values into call_user_func() after decoding JSON from a base64-encoded blob, without a proper allowlist. The attack path is reachable through fusion_get_widget_markup, which is registered for unauthenticated users via wp_ajax_nopriv_fusion_get_widget_markup. The CVE description also states that the nonce protection is weak in practice because fusion_load_nonce is generated for user ID 0 and is exposed in frontend JavaScript on public pages that include specific Avada content blocks.

Defensive priority

Immediate. This is a network-reachable, unauthenticated RCE with CVSS 9.8 and should be prioritized for urgent patching, exposure review, and validation of site compromise indicators.

Recommended defensive actions

  • Update the Avada Builder / fusion-builder plugin to a version newer than 3.15.2 once the vendor-confirmed fix is available.
  • Remove or minimize exposure of public pages that include [fusion_post_cards] or [fusion_table_of_contents] until patched, because those pages can expose the nonce used by the vulnerable AJAX flow.
  • Audit WordPress logs, file integrity, and recently modified PHP files for signs of unauthorized code execution or webshell activity.
  • Review whether the fusion_get_widget_markup endpoint is reachable from the public Internet on your deployment and confirm that the vulnerable plugin is not present on any production or staging site.
  • Monitor the Avada changelog and the WordPress plugin repository references for the exact fixed release, then verify installed versions across all instances.

Evidence notes

The supplied NVD record lists CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and identifies CWE-74. The linked WordPress plugin source references point to fusion-builder 3.15.0 and trunk code for the conditional render helper and fusion-widget shortcode, supporting the reported vulnerable path and unauthenticated AJAX exposure. The CVE was published and modified on 2026-05-21 in the supplied timeline data. This debrief does not include exploit steps or independently verified code analysis beyond the provided corpus.

Official resources

Published from the supplied CVE record dated 2026-05-21. This summary is based only on the provided CVE metadata and linked official or source references, with no added exploitation detail.