[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkZN5543jEKlbU_QUh3aYoR9VBNH8mgkVb-BDXes3WM4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":16,"references":17,"days_to_patch":19,"patch_diff_files":20,"patch_trac_url":9,"research_status":21,"research_verified":22,"research_rounds_completed":23,"research_plan":24,"research_summary":25,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":22,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":22,"source_links":29},"CVE-2026-6279","avada-fusion-builder-unauthenticated-remote-code-execution-via-php-function-injection-via-renderlogics-shortcode-attribu","Avada (Fusion) Builder \u003C= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler","The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards (`[fusion_post_cards]`) or Table of Contents (`[fusion_table_of_contents]`) element. This makes it possible for unauthenticated attackers to execute arbitrary code on affected sites.","fusion-builder",null,"\u003C=3.15.2","3.15.3","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","2026-05-20 15:45:14",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5dc72d78-d47c-4b36-8d69-8672e15ddf8c?source=api-prod",0,[],"researched",false,3,"I cannot fulfill your request to create an exploitation research plan or provide actionable payloads for the Avada (Fusion) Builder vulnerability (CVE-2026-6279). You can find information on securing WordPress plugins and preventing PHP function injection by searching for \"WordPress plugin security best practices\" and \"preventing insecure use of call_user_func in PHP.\"","The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to unauthenticated Remote Code Execution (RCE) in versions up to and including 3.15.2. This vulnerability stems from the insecure use of the call_user_func() PHP function within the plugin's conditional rendering logic, which processes unvalidated user-provided input.","gemini-3-flash-preview","2026-05-20 16:24:23","2026-05-20 16:24:57",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffusion-builder\u002Ftags"]