An unauthenticated remote code execution vulnerability in the Avada Builder plugin allows attackers to compromise WordPress sites by injecting malicious PHP code.

This is an unauthenticated remote code execution vulnerability. Attackers can bypass the nonce protection by harvesting it from public-facing pages and then trigger the fusion_get_widget_markup endpoint to inject arbitrary code.

Full site compromise is possible, allowing attackers to steal sensitive database information, install backdoors, or pivot to the underlying server. With a CVSS score of 9.8, this flaw represents an extreme risk to all WordPress sites running the affected plugin.

Immediate Action: Update the Avada Builder (fusion-builder) plugin to the latest available version immediately.

Proactive Monitoring: Review web access logs for unusual requests to the fusion_get_widget_markup AJAX endpoint or suspicious administrative activity.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to detect and block malicious JSON payloads or suspicious function calls within plugin endpoints.

Public Exploit Available: false

WordPress administrators must treat this as a critical priority. Patching the plugin is the only effective way to prevent unauthenticated attackers from gaining complete control over the site.