Description
The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.
Published: 2026-06-19
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Avada (Fusion) Builder plugin for WordPress is affected by an insufficient file path validation in the maybe_delete_files function used when processing form entries. An unauthenticated attacker can submit a crafted path‑traversal payload through the wp_ajax_nopriv_fusion_form_submit_ajax handler and force the application to delete any file on the server. Because the plugin is typically installed on a WordPress site, deleting critical files such as wp-config.php can lead to full loss of control over the site, effectively enabling remote code execution or site takeover.

Affected Systems

All WordPress installations using the Avada (Fusion) Builder plugin up to and including version 3.15.3 are vulnerable. Any site that has published a Fusion form configured to save entries to the database may be impacted, as the exploit relies on the form’s entry‑processing logic.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1, indicating high potential for damage. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The exploit requires no authentication and only a crafted form submission, making it theoretically easy for attackers to trigger. If the attacker deletes critical configuration files, remote code execution becomes possible, giving full control over the affected server.

Generated by OpenCVE AI on June 19, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update or upgrade the Avada (Fusion) Builder plugin to a version newer than 3.15.3 that includes the path‑validation fix.
  • If an upgrade cannot be performed immediately, block unauthenticated access to the wp_ajax_nopriv_fusion_form_submit_ajax endpoint using a firewall rule or server‑side configuration, thereby preventing the cleanup routine from executing on unauthorized submissions.
  • Constrain file‑system permissions so the web server’s process cannot write to critical WordPress directories (e.g., wp-config.php), reducing the impact of any remaining path‑traversal attempts.

Generated by OpenCVE AI on June 19, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.
Title Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-19T04:31:34.491Z

Reserved: 2026-05-15T20:33:46.821Z

Link: CVE-2026-8713

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T07:30:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')