A critical security flaw has been identified in the Avada (Fusion) Builder WordPress plugin, endangering over one million websites. This vulnerability, cataloged as CVE-2026-8713 with a CVSS score of 9.1, permits unauthenticated attackers to delete arbitrary files on the server, potentially leading to full site compromise and remote code execution.
The issue arises from inadequate validation of file paths within the plugin’s file-deletion mechanism, specifically in the maybe_delete_files() function. By exploiting a path-traversal vulnerability, attackers can manipulate file paths to target and delete critical files outside the intended directories.
To execute this attack, an adversary submits a specially crafted payload through Avada’s form builder feature, particularly when forms are set to store submissions in the database. For instance, by including directory traversal sequences in the form data, such as /wp-content/uploads/fusion-forms/../../../wp-config.php, the attacker can trick the system into deleting essential files like wp-config.php. The absence of proper validation checks allows this malicious input to be processed during the plugin’s automated privacy cleanup routine, leading to the deletion of the specified files.
The deletion of critical files like wp-config.php forces WordPress into a setup state, enabling attackers to reconfigure the site with a malicious database. This scenario can result in complete site takeover and the execution of arbitrary code on the server.
Given the widespread use of the Avada Builder plugin and the simplicity of exploiting this flaw, the risk to affected websites is substantial. The vulnerability was reported to the vendor on May 15, 2026, and a patch was released in version 3.15.4 on June 2, 2026. Users are strongly urged to update to this latest version immediately to mitigate the risk.
This incident underscores the critical importance of rigorous input validation and secure coding practices in plugin development. Website administrators should remain vigilant, ensuring that all plugins are regularly updated and that security measures are in place to detect and prevent such vulnerabilities.
