Unauthenticated Arbitrary File Deletion in Avada (Fusion) Builder <= 3.15.3
CVE-2026-8713 is a critical arbitrary file deletion vulnerability in the Avada (Fusion) Builder plugin for WordPress affecting all versions up to and including 3.15.3. The flaw is caused by insufficient file path validation in the maybe_delete_files() function, reported as part of the Fusion form handling code path. The vulnerable logic converts a user-influenced upload URL into a local filesystem path and deletes the resulting file without performing adequate canonicalization or containment checks, allowing path traversal sequences to escape the intended upload directory. Exploitation is possible through the unauthenticated wp_ajax_nopriv_fusion_form_submit_ajax handler when a target site exposes a published Avada form configured to save entries to the database. An attacker can submit a crafted form entry containing a traversal payload and manipulate the fusion_privacy_expiration_interval and privacy_expiration_action fields to force immediate cleanup. The malicious entry is then automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine, resulting in deletion of attacker-selected files on the server without administrator interaction.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical arbitrary file-deletion/path traversal vulnerability in the Avada (Fusion) Builder WordPress plugin that can let unauthenticated attackers delete arbitrary files and potentially achieve full site takeover and remote code execution.
A critical unauthenticated arbitrary file deletion vulnerability in themefusion Avada (Fusion) Builder that can be leveraged to delete sensitive files such as wp-config.php and potentially lead to full site compromise and remote code execution.
An unauthenticated arbitrary file deletion vulnerability in the Avada (Fusion) Builder plugin for WordPress that can potentially lead to remote code execution by deleting critical files such as wp-config.php.
A critical unauthenticated arbitrary file deletion vulnerability in the Avada (Fusion) Builder WordPress plugin caused by insufficient file path validation in maybe_delete_files(), enabling path traversal-based deletion of arbitrary server files and possible site takeover or remote code execution.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.