A critical security vulnerability in the widely used Avada (Fusion) Builder WordPress plugin has exposed<\/a> over 1 million websites to arbitrary file-deletion attacks, potentially leading to full-site compromise and remote code execution.<\/p>\n The flaw, tracked as CVE-2026-8713 with a CVSS score of 9.1, was discovered by security researcher \u201cdaroo\u201d and reported through the Wordfence Bug Bounty Program.<\/p>\n The researcher received a $3,600 reward for the finding. The vulnerability affects all plugin versions up to 3.15.3 and has been patched in version 3.15.4.<\/p>\n The issue stems from improper file path validation in the plugin\u2019s file-deletion logic in the\u00a0maybe_delete_files()\u00a0function. This flaw allows unauthenticated attackers to delete arbitrary files on the server by exploiting a path-traversal vulnerability<\/a>.<\/p>\n Attackers can abuse Avada\u2019s form builder feature, specifically when a form is configured to store submissions in the database.<\/p>\n By submitting a crafted payload containing directory traversal sequences, an attacker can manipulate file paths and target sensitive files outside the intended upload directory.<\/p>\n The attack requires a publicly accessible Avada form with database storage enabled. An attacker submits a malicious form entry containing a path such as: Due to missing validation checks, the plugin processes this input during its automated privacy cleanup routine. The system then deletes the targeted file using WordPress\u2019s native file deletion<\/a> function.<\/p>\n Notably, the attacker can trigger this cleanup process immediately by controlling specific form parameters, requiring no authentication or administrator interaction.<\/p>\n Deleting critical files, such as\u00a0wp-config.php, forces WordPress into a setup state. This can allow attackers to reconfigure the site using a malicious database, ultimately leading to full site takeover and remote code execution.<\/p>\n Given the plugin\u2019s popularity and the ease with which it can be exploited, this vulnerability poses a significant risk to affected websites.<\/p>\n The vulnerability was reported through Wordfence <\/a>on May 13, 2026, validated and disclosed to the vendor on May 15, and patched by the Avada team on May 19. The fix was officially released in Avada version 3.15.4 on June 2, 2026.<\/p>\n Users are strongly advised to update to Avada Builder version 3.15.4 immediately. Websites running outdated versions remain vulnerable to active exploitation.<\/p>\n Wordfence users are protected against this attack through built-in firewall rules that detect and block path traversal attempts in form submissions. The root cause lies in the plugin\u2019s failure to enforce directory containment checks or resolve file paths securely.<\/p>\n Without validating the final resolved path, the system allows traversal sequences to escape the intended directory, enabling arbitrary file deletion.<\/p>\n This case highlights the ongoing risks of insufficient input validation in file-handling functions. It reinforces the importance of secure coding practices in plugin development.<\/p>\n The post Critical WordPress Plugin Vulnerability Exposes 1 Million Sites to File Deletion Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\nAvada<\/strong> WordPress Plugin Vulnerability<\/strong>
\n<\/h2>\n \/wp-content\/uploads\/fusion-forms\/..\/..\/..\/wp-config.php<\/code>.<\/p>\n![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEig37VwHNI7MUGpDTCp89d3WAFELZ_22GRwE37MiQ4oSEBaQDUqyBBdM1At_uzDUZjdfsRsx1VP_i8MhrdhP9PIXT0XiDTorFk0vB_U36TSl2AJPlyroLEBzUGvtpkfXGgvmYW5SFO6pXYdvhBObIlUE8q3sYXacAS0b2Te5a_BrgWsLFT3wI7MazUFeiE\/s1600\/Screenshot%25202026-06-19%2520180642%2520%25281%2529.webp?ssl=1\")