CVE Tools

CVE-2026-8713

Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value

Published: Jun 19, 2026Updated: Jun 22, 2026 Sources: CVE List NVDCWE-22

Description

The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.

In plain language

AI Act now

If you use the Avada (Fusion) Builder WordPress plugin up to version 3.15.3, you should act now: an unauthenticated attacker can delete files on your server, which can lead to remote code execution.

What to do

  1. Update the Avada (Fusion) Builder plugin to a fixed version newer than 3.15.3 (ask your WordPress maintainer/host if you’re unsure). 2) If you can’t update right away, temporarily disable Avada forms submission/any Avada form features that save entries to the database. 3) Check your server and WordPress for unexpected file changes—especially around uploads, configuration files, or plugin/theme directories—and review recent web requests if your host provides logs.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:HA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:HIntegrity
High
A:HAvailability
High

Weaknesses

Affected Products

themefusion
commercialaka avada (fusion) builder, fusion builder, avada

Exploitability

No known exploits, KEV entries, or remediation guidance available for this vulnerability yet.

Attack Graph

Products CVE Techniques Tactics

Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/ + scroll to zoom, or go fullscreen.

MITRE ATT&CK

2 techniques
Collection
Discovery
View detailed technique mapping

References

3

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-8713 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows