A significant security vulnerability has recently come to light in the highly utilized Avada (Fusion) Builder WordPress plugin, a tool employed in millions of websites worldwide. This vulnerability has alarming implications, allowing unauthenticated attackers to delete arbitrary files and potentially take over entire websites. Approximately one million installations are at risk, raising urgent concerns for website administrators and users alike.
This critical flaw has been identified with the designation CVE-2026-8713 and has received a high severity rating, indicated by a CVSS score of 9.1. It affects all versions of the plugin up to and including 3.15.3, but a patch has been released in version 3.15.4 to resolve the issue. The vulnerability was discovered by a security researcher known as “daroo,” who reported it through the Wordfence Bug Bounty Program and was awarded $3,600 for bringing this serious issue to light.
### Nature of the Vulnerability
The vulnerability arises from inadequate file path validation within the plugin’s maybe_delete_files() function, part of the Fusion_Form_DB_Entries class. Avada Builder incorporates a form feature that allows for user submissions to be stored in a database; these entries are later processed by a mechanism designed for privacy cleanup. The purpose of this cleanup routine is to delete or anonymize stored user submissions after a specified expiration period.
However, due to improper sanitization and the failure to normalize file paths, this function does not properly validate whether file paths remain confined to the intended upload directory. Attackers can take advantage of this flaw by crafting a specific form input that contains path traversal sequences, thereby bypassing security measures.
Because the Avada plugin does not enforce strict directory boundaries using functions such as realpath(), malicious paths pointing to sensitive files outside the uploads directory can be maintained. When the cleanup process runs, it converts the user-controlled URL into a filesystem path and subsequently passes it to WordPress’s wp_delete_file() function, allowing attackers to erase arbitrary files from the server.
### Exploitation Risks
To exploit this vulnerability, the attacker must have access to a publicly available Avada form configured to store entries in the database. An unauthenticated attacker can send a crafted request to the wp_ajax_nopriv_fusion_form_submit_ajax endpoint, injecting malicious payloads into the form data and manipulating parameters such as fusion_privacy_expiration_interval and privacy_expiration_action to trigger immediate deletions. This process occurs automatically through a shutdown hook, rendering it highly dangerous because it bypasses any need for administrator interaction.
The consequences of a successful attack can be severe. For example, if an attacker deletes critical files like wp-config.php, it can force the WordPress site into its installation state. This opens avenues for attackers to reconfigure the website with a malicious database and deploy arbitrary PHP code through plugins or themes, ultimately jeopardizing site security and leading to complete remote code execution.
### Mitigation and Response
Wordfence, a well-known security tool, confirmed that its firewall effectively guards against potential exploitation by detecting and blocking path traversal attempts present in submitted form data. The vulnerability was responsibly disclosed to the Avada development team on May 15, 2026. Following a rapid and responsible remediation effort, a patch was made available on June 2, 2026.
Given the critical nature of this flaw and the relative ease with which it can be exploited, administrators using the Avada Builder are strongly urged to update to version 3.15.4 without delay. Furthermore, organizations are advised to audit any forms that are publicly accessible, implement web application firewall protections, and closely monitor logs for signs of suspicious form submissions or unexpected file deletions.
In summary, the recent discovery of CVE-2026-8713 within the Avada Builder plugin raises significant concerns within the web development community. Continual vigilance, prompt updates, and rigorous security measures are essential in safeguarding against potential attacks that could compromise entire websites.