Skip to main content

Avada Fusion Builder CVE-2026-8713

| EUVDEUVD-2026-37987 CRITICAL
Path Traversal (CWE-22)
2026-06-19 Wordfence GHSA-47xm-33q8-pw6w
9.1
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
9.1 CRITICAL

Unauthenticated single HTTP POST to a public AJAX endpoint deletes arbitrary files, breaking integrity and availability; no confidentiality leak until follow-on RCE.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 06:31 vuln.today
CVE Published
Jun 19, 2026 - 04:31 nvd
CRITICAL 9.1

DescriptionCVE.org

The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.

AnalysisAI

Arbitrary file deletion in the Avada (Fusion) Builder WordPress plugin through version 3.15.3 allows remote unauthenticated attackers to delete any file on the server via path traversal in the maybe_delete_files function, which commonly escalates to remote code execution when wp-config.php is removed and WordPress enters setup mode. Wordfence reports the flaw is reachable through the wp_ajax_nopriv_fusion_form_submit_ajax handler on sites that have a published Avada form saving entries to the database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site with Avada form
Delivery
Craft path-traversal payload targeting wp-config.php
Exploit
POST to fusion_form_submit_ajax unauthenticated
Install
Set privacy fields to force immediate deletion
C2
Shutdown hook invokes maybe_delete_files
Execute
wp-config.php removed, site enters setup mode
Impact
Hijack setup to gain admin RCE

Vulnerability AssessmentAI

Exploitation The target WordPress site must have the Avada (Fusion) Builder plugin at version 3.15.3 or earlier installed and activated, and must have at least one published Avada form whose configuration saves submitted entries to the database - forms that only email submissions do not create the database row the shutdown hook later processes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to a high-priority issue requiring rapid patching. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers a WordPress site running Avada with a published form that saves entries to the database, then submits a single crafted POST to /wp-admin/admin-ajax.php?action=fusion_form_submit_ajax embedding a path-traversal payload pointing at wp-config.php and setting fusion_privacy_expiration_interval plus privacy_expiration_action so the entry is immediately eligible for deletion. The shutdown hook fires within the same request, the Fusion_Form_DB_Privacy routine invokes maybe_delete_files on the unsanitized path, and wp-config.php is removed; the attacker then revisits the site, which enters the WordPress setup wizard and lets them attach a database they control, yielding full administrator access and remote code execution via plugin/theme upload. …
Remediation No vendor-released patch identified at time of analysis in the provided input - administrators should monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/e4bfb72e-023b-4bfd-b125-91f6ac2f200f?source=cve and the ThemeFusion changelog for a release above 3.15.3 and update immediately when published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable Avada Fusion Builder plugin or restrict access to the wp_ajax_nopriv_fusion_form_submit_ajax endpoint via Web Application Firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-8713 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy