External risk intelligence

Fusion Builder PHP Object Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-54194

A PHP Object Injection vulnerability in Fusion Builder can allow attackers to execute arbitrary code remotely, potentially compromising affected systems. The issue does not require authentication or user interaction for exploitation. It is uncertain if this component is in use or exposed in your environment.

Deserialization

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress plugin, which functions as part of a web application. WordPress sites are commonly deployed as public-facing web services, making the plugin's functionality and attack surface generally reachable from the internet.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in a component used within web applications, allowing for the injection of malicious code through user-submitted data. This could potentially lead to unauthorized control or disruption of affected systems. The primary concern is confirming if this component is in use and identifying any exposure.

  • Web code injection risk.
  • Affects widely used web applications.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted request over the network to a target system. This request targets the Fusion Builder component, which is susceptible to PHP Object Injection. Successful exploitation could allow an attacker to execute arbitrary code, leading to a complete compromise of the affected system.

  • No authentication or user interaction needed.
  • PHP Object Injection in Fusion Builder.
  • Leads to arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary code on the server by sending specially crafted requests. This could impact the integrity and availability of the affected system.

  • Server-side code execution.
  • Via unauthenticated network requests.
  • System compromise and data loss.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts Fusion Builder, a component commonly integrated into WordPress websites. Ownership likely resides with the application owners or the platform team responsible for managing the WordPress instances. The immediate first step is to identify all deployments of Fusion Builder, assess their exposure and business criticality, and then coordinate remediation with the relevant asset owners.

  • Identify Fusion Builder deployments and owners.
  • Verify exposure and business criticality.
  • Plan coordinated remediation.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-54194 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This PHP Object Injection vulnerability in Fusion Builder can lead to a critical system compromise, making it relevant for PCI scans due to the high risk of exploitation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Fusion Builder?

Fusion Builder is a plugin for WordPress designed to help users create complex page layouts and website content through a visual interface. It acts as a bridge between the user's design choices and the underlying server-side PHP code, which processes these elements to render the final web page.

How does PHP Object Injection work in CVE-2026-54194?

This vulnerability, classified as CWE-502, occurs when the plugin improperly handles serialized data. By sending a carefully crafted string to the application, an attacker can manipulate how the server's PHP environment reconstructs objects. This allows the attacker to force the server to execute unintended, harmful code during that reconstruction process.

Can any network request trigger this vulnerability?

Not every request will trigger it. The vulnerability requires the attacker to send specific, maliciously formatted data that the Fusion Builder plugin will attempt to deserialize. Legitimate, standard traffic to your website that does not contain these specific, complex object structures will not activate this security flaw.

How do I know if my site is at risk according to Halo Surface Signal?

Halo Surface Signal identifies this as a high-priority concern because WordPress plugins are typically integrated into public-facing web services. If your site is accessible over the internet, the component is reachable by attackers, meaning the risk is elevated compared to services restricted to a private, internal network.

What are the first steps to secure my server?

Begin by conducting an inventory to find every instance where the Fusion Builder plugin is currently installed. Once located, verify which sites are exposed to the internet versus those that are internal. Prioritize your most critical public-facing assets and coordinate with your web management team to apply available updates as soon as possible.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished