Critical Avada Builder Flaw Put 1 Million WordPress Sites at Risk of File Deletion Attacks

A critical vulnerability in the Avada Builder WordPress plugin exposed about 1 million websites to unauthenticated arbitrary file deletion attacks. The flaw, tracked as CVE-2026-8713, can let attackers delete sensitive files from vulnerable servers under certain conditions.

The issue affects Avada Builder, also known as Fusion Builder, in versions up to and including 3.15.3. It has been fixed in version 3.15.4, according to the Wordfence vulnerability database.

The risk is serious because deleting a file such as wp-config.php can push a WordPress site into its initial setup state. Attackers may then try to connect the site to a database they control, which can lead to full site takeover and remote code execution.

What makes the Avada Builder flaw critical

Wordfence said the vulnerability received a CVSS score of 9.1 and affects a premium WordPress plugin with an estimated 1 million active installations. The company detailed the issue in its Avada Builder security report.

The flaw comes from insufficient file path validation in the plugin’s maybe_delete_files() function. That function handles file deletion for stored Avada form entries, but vulnerable versions failed to safely confirm that the file path stayed inside the intended uploads directory.

As a result, an unauthenticated attacker could submit a crafted Avada form entry containing path traversal sequences. If the site had the right form configuration, the plugin could later process that entry and delete a file outside the expected form upload folder.

Item	Details
Vulnerability	Unauthenticated arbitrary file deletion
CVE	CVE-2026-8713
Affected plugin	Avada Builder, also known as Fusion Builder
Affected versions	Up to and including 3.15.3
Fixed version	3.15.4
Severity	Critical, CVSS 9.1
Required condition	A published Avada form configured to save submissions to the database

The attack requires a specific Avada Forms setup

The vulnerability does not affect every Avada site in the same way. Exploitation requires a published Avada form configured to save submitted entries to the database, according to the Wordfence analysis.

In that setup, an attacker can submit a form value that includes a malicious file path. The attacker can also control cleanup-related form parameters to trigger deletion without waiting for an administrator to manually remove the entry.

The most dangerous target is wp-config.php, the WordPress configuration file that stores database connection details and other important settings. Removing that file can make WordPress behave like a fresh installation, opening the door to a site takeover if the attacker can complete the setup process.

Avada released a security update on June 2

The Avada team released version 7.15.4 on June 2, 2026, with several security fixes, including a fix for arbitrary file deletion via an Avada Forms entry value. The vendor described the fix in its Avada 7.15.4 security update.

Wordfence’s timeline says the vulnerability was submitted on May 13, validated on May 15, acknowledged by the vendor on May 19, and fully patched in Avada Builder 3.15.4 on June 2.

The researcher, identified as daroo, reported the bug through the Wordfence Bug Bounty Program and received a $3,600 bounty. Wordfence also said its firewall blocks exploit attempts through built-in path traversal protection.

Why arbitrary file deletion can lead to full compromise

Arbitrary file deletion bugs may sound less severe than direct remote code execution, but they can be just as dangerous on WordPress sites. If an attacker deletes the right file, the site can lose critical configuration or security controls.

On WordPress, wp-config.php is a high-value target because it controls how the site connects to its database. If that file disappears, WordPress may start the installation workflow again, giving attackers a path to reconfigure the site in a hostile way.

The Wordfence Intelligence entry describes the vulnerability as unauthenticated, network-exploitable, and low complexity. That combination makes patching urgent for any site that uses affected Avada Builder versions.

• Attackers do not need a WordPress account to exploit vulnerable form setups.
• The vulnerable function can process attacker-controlled paths.
• Deleting wp-config.php can trigger WordPress setup behavior.
• A successful attack can lead to site takeover and remote code execution.
• Sites using Avada Forms with database storage face the highest exposure.

What WordPress administrators should do now

Administrators should update Avada and Avada Builder immediately. The safest target is the latest available Avada release, since the vendor has continued shipping security updates after the 7.15.4 release.

The official Avada security notice also tells users to keep installations updated and maintained, especially when security fixes are included. Site owners should not leave bundled builder plugins outdated because the main theme still appears to work.

After updating, administrators should review Avada Forms that save entries to the database. They should also inspect recent submissions for suspicious path traversal strings, unusual uploaded file references, and unexpected privacy cleanup settings.

1. Update Avada and Avada Builder to the latest available versions.
2. Confirm that Avada Builder is no longer on version 3.15.3 or older.
3. Review all published Avada Forms that store entries in the database.
4. Check recent form submissions for path traversal patterns.
5. Verify that wp-config.php and other critical files still exist and have expected permissions.
6. Back up the site before making major cleanup or recovery changes.
7. Rotate database credentials if compromise is suspected.

Administrators who manage many WordPress sites should scan their portfolios for the fusion-builder plugin. Any site running Avada Builder 3.15.3 or older should move to a patched version as a priority.

FAQ