How is CVE-2026-54194 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker can send a crafted request from anywhere on the internet without requiring local or adjacent-network access. Authentication (not-required): No account or session credential is needed to trigger the vulnerability; any unauthenticated HTTP request is sufficient. Victim interaction (not-required): No user action such as clicking a link or opening a file is required; the attacker exploits the service directly. Attack complexity (info): Exploitation is reliable and condition-free, with no race conditions, specific memory layouts, or environmental prerequisites standing between the attacker and a successful payload.

What is the impact of CVE-2026-54194?

Reads any file readable by the web server process, including wp-config.php credentials, stored session tokens, and customer records in the database. Writes or overwrites arbitrary files on the server, enabling the attacker to plant a web shell or modify plugin and theme code. Executes arbitrary PHP code through gadget-chain exploitation, giving the attacker full remote code execution on the host container. Crashes or degrades the WordPress application by corrupting persistent state or exhausting resources through crafted object graphs.

Back to search

CRITICALCVE-2026-54194Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-54194: WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injection vulnerability

Q: What is CVE-2026-54194?

PHP Object Injection is a class of vulnerability where attacker-supplied data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and chain them into destructive actions. In Fusion Builder (a WordPress plugin by ThemeFusion) at versions 3.15.4 and below, this flaw is reachable over the network with no authentication required, meaning any internet-accessible WordPress site running the affected plugin is exposed. Successful exploitation grants the attacker full read, write, and availability impact on the affected application. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-54194 patched?

Because no upstream fix version has been published for CVE-2026-54194, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment ThemeFusion ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-supplied data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and chain them into destructive actions. In Fusion Builder (a WordPress plugin by ThemeFusion) at versions 3.15.4 and below, this flaw is reachable over the network with no authentication required, meaning any internet-accessible WordPress site running the affected plugin is exposed. Successful exploitation grants the attacker full read, write, and availability impact on the affected application. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-54194 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, NVD, and other advisory sources. Coverage extends to custom-built images that bundle the Fusion Builder plugin, not only images pulled from public registries.

Available

Triage

Triage is available using the CVSS v3.1 score of 9.8 (Critical), weighted against each customer organization's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer org based on configured escalation rules.

Available

Patch

Because no upstream fix version has been published for CVE-2026-54194, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment ThemeFusion ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker can send a crafted request from anywhere on the internet without requiring local or adjacent-network access.
AuthenticationNot required
No account or session credential is needed to trigger the vulnerability; any unauthenticated HTTP request is sufficient.
Victim interactionNot required
No user action such as clicking a link or opening a file is required; the attacker exploits the service directly.
Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions, specific memory layouts, or environmental prerequisites standing between the attacker and a successful payload.

Blast Radius

Reads any file readable by the web server process, including wp-config.php credentials, stored session tokens, and customer records in the database.
Writes or overwrites arbitrary files on the server, enabling the attacker to plant a web shell or modify plugin and theme code.
Executes arbitrary PHP code through gadget-chain exploitation, giving the attacker full remote code execution on the host container.
Crashes or degrades the WordPress application by corrupting persistent state or exhausting resources through crafted object graphs.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-54194 is active across all customer environments scanning images that include Fusion Builder 3.15.4 or earlier. Because ThemeFusion has not yet published a fix version, no patched rebuild is currently available, and HarborGuard will generate one automatically the moment an upstream release appears. In the interim, customers can apply compensating controls through HarborGuard's network-policy tooling, specifically isolating WordPress containers from unnecessary egress paths and restricting inbound access to trusted IP ranges where operationally feasible. Feature-flag gating of the Fusion Builder import or deserialization endpoints at the application or WAF layer is also a viable short-term mitigation. For customers with auto-remediation enabled, the full rebuild, regression test, and PR flow will trigger without manual steps once a fix is published upstream.

See how HarborGuard automates this

Affected packages

ThemeFusion / Fusion Builder
≤ 3.15.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified