{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6279/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-6279"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Avada Builder (fusion-builder) plugin \u003c= 3.15.2"],"_cs_severities":["critical"],"_cs_tags":["wordpress","rce","php","function-injection","cve-2026-6279"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Avada Builder (fusion-builder) plugin for WordPress, specifically versions up to and including 3.15.2, contains an unauthenticated remote code execution vulnerability, tracked as CVE-2026-6279. The vulnerability stems from a lack of proper validation when handling the \u003ccode\u003ewp_conditional_tags\u003c/code\u003e case within the \u003ccode\u003eFusion_Builder_Conditional_Render_Helper::get_value()\u003c/code\u003e function. This allows attacker-controlled values from a base64-decoded JSON blob to be passed directly to \u003ccode\u003ecall_user_func()\u003c/code\u003e, resulting in PHP function injection. The \u003ccode\u003efusion_get_widget_markup\u003c/code\u003e AJAX endpoint, accessible to unauthenticated users via \u003ccode\u003ewp_ajax_nopriv_fusion_get_widget_markup\u003c/code\u003e, can be exploited. Although a nonce (\u003ccode\u003efusion_load_nonce\u003c/code\u003e) is present, it is generated for user ID 0 and deterministically exposed in the JavaScript output of public-facing pages containing a Post Cards (\u003ccode\u003e[fusion_post_cards]\u003c/code\u003e) or Table of Contents (\u003ccode\u003e[fusion_table_of_contents]\u003c/code\u003e) element, bypassing the intended authentication mechanism.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a WordPress site running a vulnerable version of the Avada Builder plugin (\u0026lt;= 3.15.2).\u003c/li\u003e\n\u003cli\u003eThe attacker visits a public-facing page containing either a Post Cards (\u003ccode\u003e[fusion_post_cards]\u003c/code\u003e) or Table of Contents (\u003ccode\u003e[fusion_table_of_contents]\u003c/code\u003e) element.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the \u003ccode\u003efusion_load_nonce\u003c/code\u003e value from the page\u0026rsquo;s JavaScript source code.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request to the \u003ccode\u003efusion_get_widget_markup\u003c/code\u003e endpoint, including the extracted \u003ccode\u003efusion_load_nonce\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a PHP function call within the base64-decoded JSON blob passed to \u003ccode\u003eFusion_Builder_Conditional_Render_Helper::get_value()\u003c/code\u003e via the \u003ccode\u003ewp_conditional_tags\u003c/code\u003e case.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecall_user_func()\u003c/code\u003e function executes the attacker-controlled PHP function.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the WordPress server.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full control of the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6279 allows unauthenticated attackers to execute arbitrary code on vulnerable WordPress sites. This can lead to complete compromise of the affected website, including data theft, defacement, malware injection, and denial of service. Given the popularity of the Avada Builder plugin, a large number of WordPress sites are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Avada Builder plugin to a version greater than 3.15.2 to patch CVE-2026-6279.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Avada Builder PHP Function Injection Attempt\u003c/code\u003e to identify exploitation attempts against the \u003ccode\u003efusion_get_widget_markup\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with \u003ccode\u003eaction=fusion_get_widget_markup\u003c/code\u003e containing suspicious base64 encoded data, as detected by \u003ccode\u003eDetect Avada Builder fusion_get_widget_markup Endpoint Access\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T05:16:53Z","date_published":"2026-05-21T05:16:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-avada-builder-rce/","summary":"The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to unauthenticated remote code execution (RCE) due to PHP function injection, allowing attackers to execute arbitrary code on affected sites.","title":"CVE-2026-6279 - Avada Builder Plugin Unauthenticated RCE via PHP Function Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-avada-builder-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-6279","version":"https://jsonfeed.org/version/1.1"}