
Over 1 Million Sites at Risk Due to WordPress Avada Builder Plugin: Critical Vulnerability Allows Remote File Deletion!
Attention to cybersecurity professionals and web resource administrators! A critical vulnerability has been discovered in the Avada Builder (Fusion Builder) plugin developed for WordPress — one of the world’s most popular content management systems. By exploiting this vulnerability, attackers can delete critical files on the server without authentication, potentially leading to complete takeover of the website and remote code execution.
The vulnerability, discovered by security researchers, is registered under identifier CVE-2026-8713 and has been assigned a CVSS score of 9.1, indicating an extremely high level of severity.
How Was the Vulnerability Discovered?
This vulnerability was found by security researcher “daroo” and reported to developers through the Wordfence Bug Bounty program. The researcher received a reward of $3,600 USD for this discovery.
According to available information, the vulnerability affects all versions of the Avada Builder plugin up to and including 3.15.3. The issue was addressed by developers, and the security update was released on June 2, 2026, in version 3.15.4.
Technical Nature of the Vulnerability
The problem arises due to insufficient validation of file paths in the maybe_delete_files() function included in the plugin. As a result, an attacker can send specially crafted requests with malformed file paths and exploit the Path Traversal method.
Under normal circumstances, the plugin should only work with data within the uploaded files directory. However, due to the lack of verification that the final file path is indeed within the permitted directory, an attacker can escape the directory boundaries.
For example, a malicious user can send a specially crafted path like the following:
/wp-content/uploads/fusion-forms/../../../wp-config.php
As a result, the system exits the uploaded files directory and accesses wp-config.php — one of WordPress’s core configuration files.
How Is the Attack Carried Out?
To exploit this vulnerability, the following conditions are sufficient:
- The Avada Builder plugin is installed on the site;
- The site has a publicly accessible Avada form;
- The function to save submitted form data to the database is enabled.
The attacker submits specially prepared data through the form. Subsequently, during the processing of this data by the plugin’s automatic privacy and cleanup mechanism, the malicious path is treated as an actual file, and the specified file is deleted using WordPress’s standard file deletion function.
The most alarming aspect is that no administrator intervention is required to trigger this process. The attacker can independently activate the file deletion process by manipulating certain parameters.
What Could Be the Consequences?
This vulnerability represents a far more serious issue than just the ability to delete files. An attacker can target critical WordPress system files.
If the wp-config.php file is deleted:
- WordPress may treat the site as a newly installed system;
- The attacker may attempt to exploit the reconfiguration process;
- There is a risk of altering the site’s database configuration;
- A threat arises of connecting to a malicious database or external resources;
- As a result, the site could be completely compromised.
Furthermore, in some cases, the deletion of system files can lead to Remote Code Execution (RCE) capabilities. This provides the attacker with nearly complete control over the server.
Why Does This Vulnerability Pose a Particular Threat?
Avada Builder is one of the most popular page builders in the WordPress ecosystem. Millions of websites are built using this plugin, and the ability to exploit the vulnerability without authentication further elevates its risk level.
According to experts, websites with publicly accessible forms are at the greatest risk. Because the attacker does not need login credentials or special privileges — simply submitting a form as a regular user may be sufficient.
Recommendations for Organizations and Administrators
To protect against this threat, it is recommended to take the following measures:
1. Update the Plugin Immediately
It is necessary to upgrade to Avada Builder version 3.15.4 or newer. Sites running older versions remain at risk.
2. Review Form Configurations
If the data storage function is enabled for Avada forms, reassess their security settings.
3. Analyze Site Logs
Pay attention to identifying the following signs:
- Unusual form submissions;
- Requests containing
../characters; - Unexpected file deletion events;
- Disappearance of configuration files;
- Unusual activity in administrator accounts.
4. Maintain Regular Backups
Regularly creating backups of the site and database will help mitigate the impact of a potential attack.
5. Use a Web Application Firewall
Web Application Firewall (WAF) solutions such as Wordfence or similar can detect and block Path Traversal attempts.
The CVE-2026-8713 vulnerability has once again demonstrated how critical rigorous security checks are in WordPress plugin development, particularly regarding user input handling and file operations.
What may seem at first glance like a simple file deletion capability can, in reality, lead to complete website takeover, leakage of confidential data, and execution of malicious code on the server. Therefore, all organizations and administrators using the Avada Builder plugin must immediately install security updates and inspect their infrastructures for possible signs of compromise.
Cybersecurity practice shows that even a single improperly validated file path can pose a serious threat to the security of millions of users and web resources.



