An arbitrary file deletion flaw was discovered in the WordPress Fusion Builder plugin versions 3.15.4 and earlier. The vulnerability allows a user with contributor rights to delete arbitrary files on the server hosting the WordPress installation, potentially removing critical configuration files, themes, or other content. This can lead to site downtime, data loss, and a breach of data integrity for the affected environment. The weakness corresponds to CWE-22, indicating an improper use of file path handling that lacks proper validation.

All installations of the ThemeFusion Fusion Builder plugin that are at version 3.15.4 or older are affected. The CVE specifies that any instance using these legacy plugin releases is vulnerable; no specific WordPress core version requirement is noted beyond the plugin.

The vulnerability carries a CVSS score of 7.7, indicating medium‑to‑high severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The likely exploitation path involves an authenticated contributor user invoking the plugin’s file deletion endpoint; no additional network or remote attack vector is described, so the attack vector is inferred to be local or authenticated within the WordPress environment. This means that the risk is highest for sites where contributor accounts are robust or lack proper segregation of duties, and the potential damage is significant due to the ability to remove arbitrary files.