Skip to content

[GHSA-f53p-382v-8pj7] The Avada Builder (fusion-builder) plugin for WordPress... #8019

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vanesabravon wants to merge 1 commit into
base: vanesabravon/advisory-improvement-8019
Choose a base branch
from
+21 −3
Open

[GHSA-f53p-382v-8pj7] The Avada Builder (fusion-builder) plugin for WordPress... #8019

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 21 additions & 3 deletions advisories/unreviewed/2026/05/GHSA-f53p-382v-8pj7/GHSA-f53p-382v-8pj7.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,37 @@
{
"schema_version": "1.4.0",
"id": "GHSA-f53p-382v-8pj7",
"modified": "2026-05-21T06:31:31Z",
"modified": "2026-05-21T06:31:41Z",
"published": "2026-05-21T06:31:31Z",
"aliases": [
"CVE-2026-6279"
],
"details": "The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards (`[fusion_post_cards]`) or Table of Contents (`[fusion_table_of_contents]`) element. This makes it possible for unauthenticated attackers to execute arbitrary code on affected sites.",
"summary": "CVE-2026-6279: Additional nonce exposure vector via fb-edit=1 frontend editing parameter",
"details": "The published CVE documents nonce exposure via [fusion_post_cards] and \n[fusion_table_of_contents] shortcodes. Forensic analysis of an active \nexploitation confirms an additional undocumented vector: the fusion_load_nonce \nis also exposed via the fb-edit=1 frontend editing parameter, available on any \npublic URL without requiring specific shortcodes. This makes all Avada Builder \ninstallations up to 3.15.2 universally vulnerable regardless of page configuration.\n\nEvidence: WAF logs confirm exploitation via ?fb-edit=1 parameter on sites with \nno Post Cards or Table of Contents elements present.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"affected": [],
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": ""
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
]
}
],
"references": [
{
"type": "ADVISORY",
Expand Down