1M WordPress Sites at Risk: Critical Unauthenticated Arbitrary File Deletion in Avada Builder (CVSS 9.1)
Do Son 
- CVE: CVE-2026-8713
- CVSS: 9.1 (Critical)
- Product: themefusion Avada (Fusion) Builder
- Affected: ≤ 3.15.3
- Impact: Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value
- Status: No confirmed exploitation yet
- Action: Update Avada Builder to v3.15.4 or later now
Around one million WordPress sites just got an urgent reason to patch. A critical Avada Builder vulnerability lets unauthenticated attackers delete any file on the server. Tracked as CVE-2026-8713, the flaw carries a CVSS score of 9.1. The plugin is a premium drag-and-drop page builder. Worse still, deleting the right file can hand attackers full control.
Why It Matters
Avada Builder ships with the hugely popular Avada theme. So roughly 1,000,000 active installations are in scope. Because no login is required, the bar for attackers is low. No administrator interaction is needed to trigger the deletion. As a result, Wordfence rates the issue critical.
How the Attack Works
The bug lives in the maybe_delete_files function. There, the plugin fails to validate file paths properly. It builds a filesystem path by swapping the upload URL for a local directory. Yet it skips any realpath or containment check. Consequently, path traversal sequences survive into the final deletion target.
From there, the cleanup routine does the dirty work. The Avada Builder vulnerability lets the attacker point that deletion at wp-config.php. Once that file vanishes, WordPress drops into its setup state. Then the attacker can connect the site to a malicious database. Ultimately, that path leads to remote code execution. As with all file-deletion flaws, this can mean complete site compromise.
One Catch for Attackers
Exploitation is not entirely frictionless, however. The target site must run a published Avada form that saves entries to the database. The attacker also controls the form’s privacy-expiration fields to force an instant cleanup. Still, default Avada forms with database storage fit the bill. So many sites remain genuinely exposed.
Patch Now
The fix landed in Avada Builder 3.15.4. Therefore, administrators should update immediately. Avada powers business sites, blogs, and stores worldwide, so the blast radius is wide. Researcher “daroo” reported the bug through the Wordfence Bug Bounty Program and earned $3,600. You can read the full technical breakdown in the Wordfence advisory. There is no public sign of mass exploitation yet. Above all, do not delay on a flaw this severe.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
