Avada Builder Unauthenticated Remote Code Execution Vulnerability via PHP Function Injection

A remote code execution vulnerability has been identified in the Avada Builder (fusion-builder) plugin for WordPress, affecting versions through 3.15.2. The issue arises from the 'wp_conditional_tags' case in the 'Fusion_Builder_Conditional_Render_Helper::get_value()' method, where attacker-controlled values from a base64-decoded JSON blob are passed directly to 'call_user_func()' without proper validation. This vulnerability can be exploited by unauthenticated attackers through the 'fusion_get_widget_markup' AJAX endpoint, which is available to non-privileged users. The endpoint requires a nonce that is exposed in the JavaScript of public pages with certain elements, allowing for arbitrary code execution on affected sites.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the affected WordPress site.

Reproduction

To reproduce this vulnerability, send a request to the 'fusion_get_widget_markup' AJAX endpoint with a base64-encoded JSON blob containing malicious PHP code. The 'wp_conditional_tags' case in the 'Fusion_Builder_Conditional_Render_Helper::get_value()' method will decode the JSON and execute the PHP code on the server.

Remediation

Users are advised to update the Avada Builder plugin to version 3.15.3 or later.