External risk intelligence

WordPress Avada Builder plugin allows attackers to take control of your site

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-6279

The Avada Builder plugin for WordPress has a critical flaw allowing anyone to run malicious code on your website without logging in, potentially leading to full site takeover.

5Halo Surface Signal

Remote Code Execution

External exposure likelihood

Halo Surface Signal score for CVE-2026-6279

The vulnerability exists in a WordPress plugin's AJAX endpoint, which is intentionally designed to be reachable by unauthenticated users over the internet. Because the required security token is exposed on public-facing pages, the attack surface is exposed to any external visitor, making the target fully internet-facing in standard web application deployments.

PCI scan relevance

PCI Relevance for CVE-2026-6279

Yes

CVE-2026-6279 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated attackers to execute arbitrary code, which is a critical security flaw that would likely cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Avada Builder plugin for WordPress allows unauthenticated attackers to execute arbitrary code on a website. This is concerning because it means anyone, without needing a login, could potentially take full control of the site.

  • Websites using this plugin are at risk.
  • Unauthenticated access is possible.
  • This can lead to complete site compromise.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by sending a crafted request to a specific AJAX endpoint on a WordPress site. This request would contain a base64 encoded JSON payload that, when processed, allows for the injection and execution of arbitrary PHP functions. This effectively grants the attacker code execution on the server, impacting the integrity and availability of the site.

  • Unauthenticated attackers can exploit.
  • Targets AJAX endpoint.
  • Requires public page with specific shortcodes.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability is very likely to be weaponized by attackers. WordPress plugins with unauthenticated remote code execution flaws are highly attractive targets for automated scanning and exploitation due to the sheer volume of WordPress sites and the potential for widespread compromise. The deterministically exposed nonce further lowers the barrier to entry for exploitation.

  • Unauthenticated RCE in popular plugin.
  • Publicly accessible AJAX endpoint.
  • Deterministic nonce exposure.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate patching of the Avada Builder plugin to version 3.15.3 or later, as this unauthenticated RCE vulnerability is critical and actively exploited. If patching is delayed, isolate affected WordPress instances from public access or implement a Web Application Firewall (WAF) to block requests targeting the `fusion_get_widget_markup` AJAX endpoint. Continuous monitoring for indicators of compromise related to PHP code execution is essential until remediation is complete.

  • Update Avada Builder to 3.15.3.
  • Isolate affected systems or deploy WAF rules.
  • Monitor for unauthorized code execution.

Frequently asked questions

What is the Avada Builder plugin for WordPress and what does it do?

The Avada Builder is a WordPress plugin that allows users to visually create and design website content. It enables the development of intricate page layouts and designs without requiring direct coding.

What type of vulnerability does CVE-2026-6279 represent?

CVE-2026-6279 is a PHP Function Injection vulnerability. This weakness allows an attacker to execute unintended PHP code by submitting specially crafted input, posing a critical security risk.

How can an attacker exploit CVE-2026-6279 in the Avada Builder plugin?

An attacker can exploit this by sending a crafted request to the `fusion_get_widget_markup` AJAX endpoint. This request includes a base64 encoded JSON payload that bypasses security checks and allows for the execution of arbitrary PHP functions.

What makes CVE-2026-6279 a significant threat?

This vulnerability is very likely to be exploited because it allows unauthenticated attackers to achieve remote code execution in a popular WordPress plugin. The presence of a deterministically exposed nonce on public pages further simplifies exploitation.

What actions should be taken to address the Avada Builder plugin vulnerability?

Users should immediately update the Avada Builder plugin to version 3.15.3 or a later version. If immediate patching is not feasible, consider isolating affected WordPress instances from public access or implementing a Web Application Firewall (WAF) to block malicious requests to the vulnerable AJAX endpoint.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished