Critical Unauthenticated File Deletion Vulnerability Patched in Avada Builder WordPress Plugin
A critical unauthenticated arbitrary file deletion vulnerability (CVE-2026-8713, CVSS 9.1) in the Avada Builder WordPress plugin, affecting up to 1 million sites, has been patched in version 3.15.4.
On May 13, 2026, the Wordfence Bug Bounty Program received a report of a critical unauthenticated arbitrary file deletion vulnerability in Avada Builder, a premium drag-and-drop page builder plugin for WordPress bundled with the popular Avada theme. The flaw, tracked as CVE-2026-8713 with a CVSS score of 9.1, affects all versions up to and including 3.15.3 and could allow attackers to delete arbitrary files on the server, potentially leading to remote code execution and full site takeover.
The vulnerability resides in the maybe_delete_files() function of the Fusion_Form_DB_Entries class. When the plugin's form builder cleanup routine runs—either automatically via a privacy expiration setting or when an administrator manually deletes a form entry—the function searches stored entry values for the Avada Forms upload URL. It then builds a filesystem path by string-replacing the URL prefix with the local upload directory path and deletes the resulting target using wp_delete_file(). Critically, the function performs no realpath resolution or upload-directory containment check, allowing path traversal sequences to be preserved in the final file path.
Exploitation requires a published Avada form configured to save entries to the database. An unauthenticated attacker can submit a form with a text field value containing a path-traversal payload, such as http://victim.com/wp-content/uploads/fusion-forms/../../../../wp-config.php, via the wp_ajax_nopriv_fusion_form_submit_ajax handler. By also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields, the attacker can force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.
Once wp-config.php is deleted, the WordPress installation enters its initial setup state, which can be leveraged for site takeover by pointing the installation at an attacker-controlled database. From there, the attacker can install plugins or themes containing malicious PHP code, ultimately achieving remote code execution. As with all arbitrary file deletion vulnerabilities, this can lead to complete site compromise.
The vulnerability was discovered and responsibly reported by researcher daroo, who earned a bounty of $3,600.00 through the Wordfence Bug Bounty Program. Wordfence provided full disclosure details to the Avada team on May 15, 2026, and the developer acknowledged the report and submitted a patch on May 19, 2026. The patched version, 3.15.4, was released shortly thereafter. Wordfence users, including those running the free version, are protected against exploits targeting this vulnerability by the Wordfence firewall's built-in path traversal protection.
All users of the Avada Builder plugin are strongly urged to update to version 3.15.4 or later as soon as possible. This vulnerability highlights the importance of proper input validation and path sanitization in file-handling functions, especially in widely deployed plugins with form-building capabilities. The prompt response from the Avada team demonstrates the value of coordinated disclosure programs in securing the WordPress ecosystem.