CVE-2026-8713
Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value
Description
The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.
In plain language
AI Act nowIf you use the Avada (Fusion) Builder WordPress plugin up to version 3.15.3, you should act now: an unauthenticated attacker can delete files on your server, which can lead to remote code execution.
What to do
- Update the Avada (Fusion) Builder plugin to a fixed version newer than 3.15.3 (ask your WordPress maintainer/host if you’re unsure). 2) If you can’t update right away, temporarily disable Avada forms submission/any Avada form features that save entries to the database. 3) Check your server and WordPress for unexpected file changes—especially around uploads, configuration files, or plugin/theme directories—and review recent web requests if your host provides logs.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:NConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
- ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and Moreen·The Hacker News· Summary only·
- Hackers exploit info disclosure bug in Gravity SMTP WordPress pluginen-us·BleepingComputer·
- 1M WordPress Sites at Risk: Critical Unauthenticated Arbitrary File Deletion in Avada Builder (CVSS 9.1)en-us·Daily CyberSecurity (securityonline.info)·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-8713 and every CVE in our database. Create a free account — no credit card required.
Create Free Account