A critical unauthenticated arbitrary file deletion vulnerability has been discovered in Avada Builder, one of WordPress’s most widely deployed premium page builder plugins, putting approximately 1,000,000 active installations at immediate risk of complete site compromise.
Tracked as CVE-2026-8713 with a CVSS score of 9.1 (Critical), the flaw allows attackers to delete arbitrary server files, including the critical wp-config.php, without any authentication, potentially triggering full remote code execution (RCE).
Discovered and responsibly reported by security researcher daroo through the Wordfence Bug Bounty Program on May 13, 2026, the vulnerability resides in the maybe_delete_files() function within the Fusion_Form_DB_Entries class of Avada Builder versions 3.15.3 and below.
The flaw is rooted in the plugin’s form builder feature, which allows administrators to create custom forms and optionally store submissions in the database.
The privacy cleanup mechanism, designed to automatically purge or anonymize old entries, performs file deletions without adequate path validation.
Specifically, the function replaces the Avada Forms upload URL with a local filesystem path using a simple string replacement, with no realpath() resolution or directory containment check. This means path traversal sequences such as /../../../ pass through the cleanup logic entirely unfiltered.
An unauthenticated attacker can exploit this by submitting a crafted form entry with a malicious text field value like:
texthttp://victim.com/wp-content/uploads/fusion-forms/../../../../../../wp-config.php
By also manipulating the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate “delete” cleanup cycle, the attacker causes the Fusion_Form_DB_Privacy shutdown-hook routine to automatically process the planted entry, deleting the targeted file without any administrator interaction required.
The attack chain doesn’t stop at file deletion. Once wp-config.php is removed, WordPress enters its initial installation state, presenting the setup wizard to whoever visits the site.
An attacker can then point the WordPress installation at an attacker-controlled database, effectively seizing complete control over the site.
From there, malicious plugins or themes containing arbitrary PHP code can be installed, achieving persistent remote code execution on the server.
This attack requires only one pre-condition: a published Avada form configured to save entries to the database must exist on the target site, a common configuration among active Avada users. No account, token, or privilege is required beyond the ability to submit a form.
As Wordfence emphasized, this vulnerability “can lead to complete site compromise,” placing it among the most severe WordPress plugin flaws disclosed in 2026.
Affected Versions and Patch Details
| Detail | Information |
|---|---|
| CVE ID | CVE-2026-8713 |
| CVSS Score | 9.1 (Critical) |
| Affected Versions | Avada (Fusion) Builder ≤ 3.15.3 |
| Patched Version | 3.15.4 |
| Plugin Installations | ~1,000,000 |
| Bug Bounty Awarded | $3,600.00 |
Wordfence provided full disclosure to the Avada development team through its Vulnerability Management Portal on May 15, 2026. The Avada team responded promptly, acknowledging the report and submitting a patch by May 19, 2026. The fully patched version, Avada Builder 3.15.4, was publicly released on June 2, 2026.
- May 13, 2026 — Vulnerability submitted to Wordfence via Bug Bounty Program
- May 15, 2026 — Report validated, proof-of-concept confirmed, full disclosure sent to Avada team
- May 19, 2026 — Avada team acknowledged and submitted patch
- June 2, 2026 — Patched version 3.15.4 publicly released
All Wordfence users, including those on Wordfence Premium, Wordfence Care, Wordfence Response, and the free version, are protected against exploitation of this vulnerability.
The Wordfence firewall’s built-in path traversal protection detects the traversal sequence within submitted form data and blocks the malicious request before it can reach the vulnerable cleanup function.
This protection was active from the point of vulnerability discovery, giving Wordfence users a critical head start before the public patch was available.
Site administrators running Avada Builder must update to version 3.15.4 immediately. Given the zero-authentication requirement and the potential for complete server takeover, this vulnerability should be treated as an emergency patch priority. If you manage multiple WordPress sites or know other Avada users, sharing this advisory could prevent a serious breach.
To check your current plugin version, navigate to WordPress Dashboard → Plugins → Installed Plugins and search for “Avada Builder” or “Fusion Builder.”
FAQ
Q1: What is CVE-2026-8713?
CVE-2026-8713 is a critical unauthenticated arbitrary file deletion vulnerability in Avada Builder (≤ 3.15.3) that can lead to remote code execution.
Q2: Do I need to be logged in to exploit this vulnerability?
No — the attack requires zero authentication, making it accessible to any anonymous internet user who can submit a form.
Q3: Is there a patch available for this Avada Builder vulnerability?
Yes — Avada Builder version 3.15.4, released June 2, 2026, fully resolves the vulnerability.
Q4: Does Wordfence protect against CVE-2026-8713 even without the patch?
Yes — all Wordfence users, including free tier users, are protected via the firewall’s built-in path traversal detection.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
