CVE Tools
Back to feed
Daily CyberSecurity (securityonline.info) ·EN-US News source Patch releasedAvada Builder (Fusion)

1M WordPress Sites at Risk: Critical Unauthenticated Arbitrary File Deletion in Avada Builder (CVSS 9.1)

By Do Son··2 min read
CVE Tools coverage

A critical vulnerability in themefusion Avada (Fusion) Builder, tracked as CVE-2026-8713 (CVSS 9.1), allows unauthenticated attackers to delete arbitrary files on affected servers without login. Versions at or below 3.15.3 are impacted, and the ability to remove sensitive files can lead to full compromise of a WordPress site. Site owners should upgrade to Avada Builder v3.15.4 or later immediately, even though there is no confirmed public exploitation reported yet.