Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Unauthenticated single HTTP POST to a public AJAX endpoint deletes arbitrary files, breaking integrity and availability; no confidentiality leak until follow-on RCE.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.
Articles & Coverage 1
AnalysisAI
Arbitrary file deletion in the Avada (Fusion) Builder WordPress plugin through version 3.15.3 allows remote unauthenticated attackers to delete any file on the server via path traversal in the maybe_delete_files function, which commonly escalates to remote code execution when wp-config.php is removed and WordPress enters setup mode. Wordfence reports the flaw is reachable through the wp_ajax_nopriv_fusion_form_submit_ajax handler on sites that have a published Avada form saving entries to the database. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target WordPress site must have the Avada (Fusion) Builder plugin at version 3.15.3 or earlier installed and activated, and must have at least one published Avada form whose configuration saves submitted entries to the database - forms that only email submissions do not create the database row the shutdown hook later processes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All signals point to a high-priority issue requiring rapid patching. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker discovers a WordPress site running Avada with a published form that saves entries to the database, then submits a single crafted POST to /wp-admin/admin-ajax.php?action=fusion_form_submit_ajax embedding a path-traversal payload pointing at wp-config.php and setting fusion_privacy_expiration_interval plus privacy_expiration_action so the entry is immediately eligible for deletion. The shutdown hook fires within the same request, the Fusion_Form_DB_Privacy routine invokes maybe_delete_files on the unsanitized path, and wp-config.php is removed; the attacker then revisits the site, which enters the WordPress setup wizard and lets them attach a database they control, yielding full administrator access and remote code execution via plugin/theme upload. … |
| Remediation | No vendor-released patch identified at time of analysis in the provided input - administrators should monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/e4bfb72e-023b-4bfd-b125-91f6ac2f200f?source=cve and the ThemeFusion changelog for a release above 3.15.3 and update immediately when published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable Avada Fusion Builder plugin or restrict access to the wp_ajax_nopriv_fusion_form_submit_ajax endpoint via Web Application Firewall rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37987
GHSA-47xm-33q8-pw6w