CVE-2026-8713: Avada Builder Flaw Lets Hackers Delete Any File

A critical-severity path traversal vulnerability (CVE-2026-8713) in the Avada (Fusion) Builder WordPress plugin allows unauthenticated attackers to delete arbitrary files on the server, potentially triggering remote code execution, affecting all versions up to and including 3.15.3.

WordPress site owners running the Avada theme’s companion Fusion Builder plugin are urged to update immediately after security researchers disclosed a zero-interaction, unauthenticated arbitrary file deletion flaw on June 18, 2026.

Assigned a CVSS 3.1 score of 9.1 (Critical), this vulnerability, tracked as CVE-2026-8713, poses a severe threat to over one million WordPress websites globally that rely on Avada as their page builder.

The flaw was discovered and responsibly disclosed by independent security researcher daroo through the Wordfence Bug Bounty Program, with public disclosure occurring on June 18, 2026 and details last updated on June 19, 2026.

The vulnerability is classified under CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”), a class of bugs notoriously exploited to break out of intended filesystem boundaries.

The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H confirms the worst-case scenario: the attack is fully remote, requires no authentication, demands no user interaction, and carries high impact on both Integrity and Availability.

The flaw has been patched in Avada (Fusion) Builder version 3.15.4, and all users still running 3.15.3 or older are considered at risk.

The root cause resides in the maybe_delete_files function within the file inc/class-fusion-form-db-entries.php (line 79), which fails to perform adequate file path validation before executing file deletion operations.

This insufficient sanitization allows an attacker to inject path traversal sequences (e.g., ../../) into form entry values submitted through the plugin’s AJAX handler.

The attack chain unfolds as follows:

1. Precondition: The target WordPress site must have a published Avada form with “Save entries to database” enableda , common configuration used for contact forms.
2. Payload Injection: An unauthenticated attacker submits a crafted path traversal string as the form entry value via the wp_ajax_nopriv_fusion_form_submit_ajax AJAX endpoint.
3. Privacy Control Abuse: The attacker simultaneously manipulates the fusion_privacy_expiration_interval and privacy_expiration_action fields, forcing the interval to zero and the action to delete, which triggers immediate entry cleanup.
4. Shutdown Hook Execution: The planted malicious entry is automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine — triggered at the end of the page request, causing the server to delete any file specified in the traversal payload, all without any administrator interaction.

The most devastating exploitation scenario involves deleting wp-config.phpWordPress’s core configuration file contains database credentials, authentication keys, and salts. Once wp-config.php is removed, WordPress enters a fresh installation state, allowing an attacker to reconfigure the CMS with their own database, effectively achieving Remote Code Execution (RCE) and full site takeover.

CVE-2026-8713 is not an isolated incident. The Avada (Fusion) Builder plugin has been plagued by a series of critical vulnerabilities throughout 2026, underscoring systemic security concerns in the plugin’s codebase:

• CVE-2026-4782 (CVSS 6.5): An authenticated arbitrary file read flaw in the fusion_get_svg_from_file function allowed subscriber-level users to read sensitive files, including wp-config.php.
• CVE-2026-4798 (CVSS 7.5): An unauthenticated time-based SQL injection via the product_order parameter exposed the entire WordPress database to extraction.
• CVE-2026-6279 (CVSS 9.8): A critical unauthenticated RCE via PHP Function Injection was discovered in versions up to 3.15.2, where attacker-controlled values from a base64-decoded JSON blob were passed directly to call_user_func() without allowlist validation.
• CVE-2026-32452: An unauthorized access flaw due to a missing capability check on a core function, affecting all versions prior to 3.15.0.

This pattern of repeated high-severity disclosures across consecutive plugin versions signals that Avada’s form handling and AJAX callback architecture require a comprehensive security audit.

Infosecurity Magazine reported that, in May 2026, Avada-related flaws had already exposed over 1 million WordPress sites to potential exploitation.

Avada is one of the best-selling WordPress themes of all time, with its companion Fusion Builder installed on an estimated 900,000 to 1,000,000+ active WordPress websites worldwide.

Any site running an unpatched version (≤ 3.15.3) with an active Avada form collecting entries is directly exploitable no credentials required.

In mass-exploitation scenarios, threat actors can automate form submissions to target thousands of vulnerable sites simultaneously via publicly available AJAX endpoints, making detection difficult before damage occurs.

The deletion of critical system files can also result in:

• Permanent data loss if backups are not maintained
• Complete service disruption rendering the website inaccessible
• Credential theft if wp-config.php deletion triggers a reinstall exploited by the attacker

Mitigation

The Avada development team has released version 3.15.4 which patches CVE-2026-8713 by implementing proper file path validation in the maybe_delete_files function. Site administrators should take the following immediate actions:

• Update Fusion Builder to version 3.15.4 or later via the WordPress plugin dashboard
• Audit server logs for suspicious POST requests to wp-ajax.php containing path traversal patterns (../, %2e%2e%2f)
• Enable WAF rules, Wordfence Premium users received a firewall rule as of June 18, 2026
• Verify form settings and disable database entry storage for Avada forms if not required
• Confirm wp-config.php integrity and ensure regular off-site backups are in place

Frequently Asked Questions (FAQs)

Q1: What is CVE-2026-8713?
CVE-2026-8713 is a critical (CVSS 9.1) unauthenticated arbitrary file deletion vulnerability in the Avada (Fusion) Builder WordPress plugin (≤ 3.15.3) that allows attackers to delete server files without any login or admin interaction.

Q2: Does exploiting this vulnerability require authentication?
No, the attack leverages the wp_ajax_nopriv_fusion_form_submit_ajax handler, which is accessible to completely unauthenticated users, making it especially dangerous for public-facing WordPress sites.

Q3: Can this file deletion vulnerability lead to full website compromise?
Yes, deleting wp-config.php resets WordPress to installation mode, enabling an attacker to hijack the site’s database connection and achieve remote code execution with full administrative control.

Q4: What version of Avada (Fusion) Builder fixes CVE-2026-8713?
The vulnerability is fully patched in Avada (Fusion) Builder version 3.15.4, released June 18, 2026, all users on version 3.15.3 or below must update immediately via their WordPress dashboard.

Site: thecybrdef.com

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.

About the Author

John

Author

John is an independent cybersecurity researcher covering vulnerabilities, malware campaigns, and emerging threats in the cybersecurity landscape.

Visit Website View All Posts