CVE-2026-6279 describes a critical unauthenticated remote code execution issue in the Avada Builder (fusion-builder) WordPress plugin. The core problem is attacker-controlled data being passed from a base64-decoded JSON blob into call_user_func() without allowlist validation in the wp_conditional_tags path. Because the vulnerable logic is reachable through the non-privileged fusion_get_widget_markup AJAX [truncated]
CVE-2026-1543 is a stored cross-site scripting issue in the Avada (Fusion) Builder plugin for WordPress. According to the supplied source, multiple shortcodes fail to properly sanitize input and escape output in versions up to and including 3.15.2. That allows authenticated users with Subscriber-level access and above to store arbitrary scripts that can execute when another user views a page rendering the [truncated]
