Arbitrary File Deletion in Avada Builder Plugin for WordPress
CVE-2026-8713
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 19 June 2026
Badges
What is CVE-2026-8713?
The Avada (Fusion) Builder plugin for WordPress is susceptible to arbitrary file deletion due to inadequate file path validation in its maybe_delete_files function. This vulnerability affects all versions up to and including 3.15.3, enabling unauthenticated attackers to delete files on the server. By exploiting this weakness, attackers can use path-traversal payloads in conjunction with specific form submissions, allowing for unauthorized access and potential remote code execution through crucial files like wp-config.php. The exploitation requires a setup where an Avada form is configured to database entries, leading to direct consequences without administrator involvement.
Affected Version(s)
Avada (Fusion) Builder 0 <= 3.15.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved