Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-6279 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-6279 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2026-6279 is an unauthenticated remote code execution vulnerability in the Avada Builder (fusion-builder) WordPress plugin, affecting all versions up to and including 3.15.2, caused by unsafe PHP function injection in the plugin's conditional rendering logic.

Technical Detail

The flaw exists in Fusion_Builder_Conditional_Render_Helper::get_value(), specifically within the wp_conditional_tags case handler, which decodes a base64-encoded JSON blob supplied by the attacker and passes the resulting values directly to PHP's call_user_func() without any allowlist or sanitization controls. An unauthenticated attacker can craft a malicious request to the fusion_get_widget_markup endpoint (or equivalent handler) that injects an arbitrary PHP callable, resulting in full remote code execution on the host server. Because no authentication is required, the attack surface is the entire internet-facing WordPress installation base running the affected plugin versions.

Exploitation Status

A proof-of-concept exploit is publicly available as of this writing. This vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog, and active in-the-wild exploitation has not been confirmed by authoritative sources at this time. However, the combination of a critical CVSS score of 9.8, unauthenticated attack vector, and available PoC significantly elevates the risk of imminent opportunistic exploitation. Organizations should treat this as a high-urgency patching priority regardless of KEV status.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given the nature of the vulnerability, unauthenticated RCE in a widely deployed WordPress plugin, opportunistic mass-scanning activity by financially motivated actors and botnet operators is a realistic near-term concern, consistent with historical exploitation patterns seen against similar WordPress plugin vulnerabilities.

What To Do

Update the Avada Builder (fusion-builder) plugin to a version beyond 3.15.2 immediately; check the WordPress plugin repository or the vendor's official channel for a patched release. If a patch is not yet available or cannot be applied immediately, consider deactivating the plugin until remediation is possible, or implement a web application firewall rule to block requests containing base64-encoded payloads targeting the fusion_get_widget_markup action. Detection efforts should focus on web server and application logs for anomalous POST requests to WordPress AJAX endpoints (wp-admin/admin-ajax.php) with base64-encoded body parameters, as well as unexpected process spawning from the web server user account. Given the public PoC availability, patch deployment should not be deferred.