Critical WordPress Plugin Flaw Exposes 1 Million Sites

A critical security vulnerability has been identified in the widely used Avada (Fusion) Builder WordPress plugin. This flaw exposes over one million websites to arbitrary file-deletion attacks, potentially leading to full-site compromise and remote code execution.

The flaw, tracked as CVE-2026-8713 with a CVSS score of 9.1, was discovered by security researcher “daroo” and reported through the Wordfence Bug Bounty Program.

The researcher received a $3,600 reward for the finding. The vulnerability affects all plugin versions up to 3.15.3 and has been patched in version 3.15.4.

Avada WordPress Plugin Vulnerability

The issue stems from improper file path validation in the plugin’s file-deletion logic in the maybe_delete_files() function. This flaw allows unauthenticated attackers to delete arbitrary files on the server by exploiting a path-traversal vulnerability.

Attackers can abuse Avada’s form builder feature, specifically when a form is configured to store submissions in the database.

By submitting a crafted payload containing directory traversal sequences, an attacker can manipulate file paths and target sensitive files outside the intended upload directory.

The attack requires a publicly accessible Avada form with database storage enabled. An attacker submits a malicious form entry containing a path such as: /wp-content/uploads/fusion-forms/../../../wp-config.php.

Due to missing validation checks, the plugin processes this input during its automated privacy cleanup routine. The system then deletes the targeted file using WordPress’s native file deletion function.

Notably, the attacker can trigger this cleanup process immediately by controlling specific form parameters, requiring no authentication or administrator interaction.

Deleting critical files, such as wp-config.php, forces WordPress into a setup state. This can allow attackers to reconfigure the site using a malicious database, ultimately leading to full site takeover and remote code execution.

Given the plugin’s popularity and the ease with which it can be exploited, this vulnerability poses a significant risk to affected websites.

The vulnerability was reported through Wordfence on May 13, 2026, validated and disclosed to the vendor on May 15, and patched by the Avada team on May 19. The fix was officially released in Avada version 3.15.4 on June 2, 2026.

Users are strongly advised to update to Avada Builder version 3.15.4 immediately. Websites running outdated versions remain vulnerable to active exploitation.

Wordfence users are protected against this attack through built-in firewall rules that detect and block path traversal attempts in form submissions. The root cause lies in the plugin’s failure to enforce directory containment checks or resolve file paths securely.

Without validating the final resolved path, the system allows traversal sequences to escape the intended directory, enabling arbitrary file deletion.

This case highlights the ongoing risks of insufficient input validation in file-handling functions. It reinforces the importance of secure coding practices in plugin development.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.