A serious security vulnerability has been uncovered in the widely used Avada (Fusion) Builder WordPress plugin. This flaw could enable unauthenticated attackers to delete arbitrary files and potentially compromise entire websites across more than one million installations.
Identified as CVE-2026-8713 and assigned a CVSS score of 9.1, the vulnerability affects all plugin versions up to and including 3.15.3. It has been resolved in version 3.15.4. The issue was discovered by security researcher “daroo,” who reported it through the Wordfence Bug Bounty Program, earning a $3,600 reward.
Critical WordPress Plugin Bug
The vulnerability stems from insufficient file path validation within the plugin’s maybe_delete_files() function, part of the Fusion_Form_DB_Entries class. Avada Builder includes a form feature that stores user submissions in the database and later processes them with a privacy cleanup mechanism.
This cleanup routine is designed to delete or anonymize stored entries after a defined expiration period. However, due to improper sanitization and lack of path normalization, the function fails to validate whether file paths remain within the intended upload directory.
Attackers can exploit this weakness by submitting a specially crafted form input containing path traversal sequences. Because the plugin does not enforce directory boundaries using functions like realpath(), malicious paths such as references to sensitive files outside the uploads directory are preserved.
When the cleanup process executes, it converts the attacker-controlled URL into a filesystem path. It passes it to WordPress’s wp_delete_file() function, which deletes arbitrary files on the server.
Exploitation requires a publicly accessible Avada form configured to store entries in the database. An unauthenticated attacker can send a request to the wp_ajax_nopriv_fusion_form_submit_ajax endpoint, injecting a malicious payload into the form data while manipulating parameters such as fusion_privacy_expiration_interval and privacy_expiration_action to trigger immediate deletion. The cleanup routine then processes the entry automatically via a shutdown hook, requiring no administrator interaction.
A particularly dangerous outcome occurs when attackers delete critical files such as wp-config.php. Removing this file forces WordPress into its installation state, allowing attackers to reconfigure the site with a malicious database and ultimately deploy arbitrary PHP code through plugins or themes. This can lead to complete remote code execution and full site takeover.
Wordfence confirmed that its firewall protects against exploitation by detecting and blocking path traversal attempts in submitted form data. The vulnerability was responsibly disclosed to the Avada development team on May 15, 2026, with a patch released on June 2, 2026, following rapid remediation efforts.
Given the severity and ease of exploitation, administrators using Avada Builder are strongly advised to update to version 3.15.4 immediately. Organizations should also audit publicly exposed forms, implement web application firewall protections, and monitor logs for suspicious form submissions or unexpected file deletions to mitigate potential compromise
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
