Unrated

Unauthenticated Arbitrary File Deletion in Avada (Fusion) Builder <= 3.15.3

IdentifiersCVE-2026-8713CWE-22

CVE-2026-8713 is a critical vulnerability in the Avada (Fusion) Builder plugin for WordPress affecting all versions up to and including 3.15.3. The flaw is caused by insufficient file path validation in the maybe_delete_files() function, which converts user-influenced upload URLs into filesystem paths and passes them to file deletion logic without securely resolving the path or enforcing containment within the intended upload directory. As a result, unauthenticated attackers can use path traversal sequences to cause deletion of arbitrary files on the server. Exploitation requires a published Avada form configured to save entries to the database. An attacker submits a crafted payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler and controls the fusion_privacy_expiration_interval and privacy_expiration_action fields to force immediate cleanup, causing the malicious entry to be processed automatically by the Fusion_Form_DB_Privacy shutdown-hook routine without administrator interaction.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated arbitrary deletion of server files accessible to the WordPress process. Deletion of critical files such as wp-config.php can force WordPress back into setup mode, enabling site takeover by reconfiguration and potentially leading to full compromise and remote code execution. The vulnerability therefore threatens confidentiality, integrity, and availability of the affected site.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, remove or restrict access to published Avada forms that save entries to the database, especially unauthenticated submission paths exposed through wp_ajax_nopriv_fusion_form_submit_ajax. Disable the affected plugin or form functionality if necessary. Monitor for malicious form submissions containing path traversal sequences and investigate unexpected file deletions. Where available, use protective controls such as a WAF rule set capable of detecting traversal payloads in form data.

Remediation

Patch, then assume compromise.

Upgrade Avada (Fusion) Builder to version 3.15.4 or later, which patches the vulnerable file path handling. Verify that all affected instances are updated and remove any outdated plugin copies from the environment. Review published Avada forms and confirm that form-handling components are running the patched version.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

ThemeFusionAvada Builderapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app

scworldNews

Jun 22, 2026

WordPress plugin Gravity SMTP exploited for sensitive information disclosure | brief | SC Media

A critical file deletion vulnerability affecting the Avada Builder WordPress plugin.

cyber security newsNews

Jun 19, 2026

Critical WordPress Plugin Vulnerability Exposes File Deletion 1 Million Sites to File Deletion Attacks

A critical arbitrary file-deletion/path traversal vulnerability in the Avada (Fusion) Builder WordPress plugin that can let unauthenticated attackers delete arbitrary files and potentially achieve full site takeover and remote code execution.

security online infoNews

Jun 19, 2026

Avada Builder Flaw: File Deletion Hits 1M Sites (9.1)

A critical unauthenticated arbitrary file deletion vulnerability in themefusion Avada (Fusion) Builder that can be leveraged to delete sensitive files such as wp-config.php and potentially lead to full site compromise and remote code execution.

cvefeed high severityNews

Jun 19, 2026

CVE-2026-8713 - Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value

An unauthenticated arbitrary file deletion vulnerability in the Avada (Fusion) Builder plugin for WordPress that can potentially lead to remote code execution by deleting critical files such as wp-config.php.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity13

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-8713

NVD

nvd.nist.gov/vuln/detail/CVE-2026-8713

MITRE CWE · CWE-22

cwe.mitre.org