The Avada Builder plugin for WordPress versions up to 3.15.2 contains an unauthenticated remote code execution vulnerability due to improper neutralization of special elements in output used by a downstream component (CWE-74). Specifically, the wp_conditional_tags case in Fusion_Builder_Conditional_Render_Helper::get_value() passes attacker-controlled values from a base64-decoded JSON blob directly to call_user_func() without any allowlist validation. The fusion_get_widget_markup AJAX endpoint, registered for unauthenticated users, can be exploited because its nonce (fusion_load_nonce) is generated for user ID 0 and deterministically exposed in JavaScript on public pages with certain shortcodes. This allows attackers to execute arbitrary PHP code remotely without authentication.

Successful exploitation allows unauthenticated attackers to execute arbitrary PHP code on affected WordPress sites running vulnerable versions of the Avada Builder plugin. This can lead to full site compromise, including data theft, site defacement, or further pivoting within the hosting environment. The CVSS score of 9.8 reflects the critical nature of this vulnerability with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, site administrators should consider disabling or removing the Avada Builder plugin or restricting access to the fusion_get_widget_markup AJAX endpoint. Monitoring vendor channels for an official patch or update is strongly recommended. Do not rely solely on the nonce protection as it is deterministically exposed and insufficient to prevent exploitation.