Critical Path Traversal Vulnerability in Avada Builder Threatens Over One Million WordPress Installations
A high-severity security flaw has been identified in the widely utilized Avada (Fusion) Builder WordPress plugin, posing a significant risk to the global web ecosystem. This vulnerability allows unauthenticated attackers to execute arbitrary file deletions, a flaw that could lead to total site compromise across more than one million active installations.
Registered as CVE-2026-8713, the vulnerability carries a critical CVSS score of 9.1. The flaw impacts all plugin versions up to and including 3.15.3. The issue was discovered by security researcher “daroo” via the Wordfence Bug Bounty Program, who received a $3,600 reward for the responsible disclosure.
Technical Deep Dive: The Root Cause
The vulnerability is rooted in insufficient file path validation within the maybe_delete_files() function, located inside the Fusion_Form_DB_Entries class. To facilitate user engagement, Avada Builder includes a robust form feature that logs submissions to the database. To comply with data privacy standards, the plugin includes a built-in cleanup mechanism designed to anonymize or purge these entries after a specified expiration period.
The technical breakdown of the failure is as follows:
- Improper Sanitization: The cleanup routine fails to properly sanitize and normalize file paths before processing them.
- Lack of Path Normalization: The function does not utilize directory boundary enforcement—such as the PHP
realpath()function—to ensure that file operations remain confined to the intended uploads directory. - Path Traversal Exploitation: An attacker can inject path traversal sequences (e.g.,
../../) into form inputs. Because the plugin fails to validate these sequences, the malicious path is preserved throughout the execution flow.
When the cleanup routine triggers, it converts the attacker-controlled URL into a local filesystem path and passes it directly to the WordPress core function wp_delete_file(), effectively granting the attacker the ability to delete any file the web server has permissions to access.
Attack Vector and Impact
Exploiting this flaw is remarkably straightforward. An unauthenticated attacker only needs to find a publicly accessible Avada form configured to store entries in the database. By sending a malicious request to the wp_ajax_nopriv_fusion_form_submit_ajax endpoint, the attacker can inject payloads into the form data. By manipulating parameters like fusion_privacy_expiration_interval and privacy_expiration_action, they can force the cleanup routine to execute immediately via a shutdown hook, requiring zero administrative interaction.
The most devastating outcome involves the deletion of wp-config.php. By removing this critical configuration file, the attacker forces WordPress into a “fresh installation” state. This allows the attacker to reconfigure the site using a malicious database, eventually leading to Remote Code Execution (RCE) and complete administrative takeover of the server.
Remediation and Defense
The Avada development team responded rapidly to the disclosure, which occurred on May 15, 2026, releasing a formal patch on June 2, 2026. While Wordfence has confirmed that its firewall can detect and block these specific path traversal attempts, relying solely on a WAF is not a substitute for patching.
Immediate Action Required:
- Update Immediately: All administrators using Avada Builder must upgrade to version 3.15.4 or higher.
- Audit Forms: Review all publicly accessible forms to ensure they are not storing unnecessary sensitive data.
- Monitor Logs: Inspect server and WordPress logs for unusual
wp_ajaxactivity or unexpected file deletion errors. - Apply Least Privilege: Ensure your web server user has the minimum necessary permissions to prevent widespread filesystem damage in the event of future vulnerabilities.