2 matches found
CVE-2026-6279 Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler
The Avada Builder fusion-builder plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the wpconditionaltags case in FusionBuilderConditionalRenderHelper::getvalue passing attacker-controlled...
CVE-2026-6279
The CVE-2026-6279 entry identifies a vulnerability in the Avada Builder (fusion-builder) WordPress plugin up to version 3.15.2. The root cause is a PHP function injection flaw in Fusion_Builder_Conditional_Render_Helper::get_value(), where attacker-controlled data from a base64-decoded JSON blob ...