Description
The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.
Published: 2026-06-19
Score: 9.1 Critical
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Avada (Fusion) Builder plugin for WordPress is affected by an insufficient file path validation in the maybe_delete_files function used when processing form entries. An unauthenticated attacker can submit a crafted path‑traversal payload through the wp_ajax_nopriv_fusion_form_submit_ajax handler and force the application to delete any file on the server. Because the plugin is typically installed on a WordPress site, deleting critical files such as wp-config.php can lead to full loss of control over the site, effectively enabling remote code execution or site takeover.

Affected Systems

All WordPress installations using the Avada (Fusion) Builder plugin up to and including version 3.15.3 are vulnerable. Any site that has published a Fusion form configured to save entries to the database may be impacted, as the exploit relies on the form’s entry‑processing logic.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1, indicating high potential for damage. The EPSS score is 1%, suggesting a very low but nonzero probability of exploitation, and the issue is not listed in the CISA KEV catalog. The exploit requires no authentication and only a crafted form submission, making it theoretically easy for attackers to trigger. If the attacker deletes critical configuration files, remote code execution becomes possible, giving full control over the affected server.

Generated by OpenCVE AI on June 24, 2026 at 12:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update or upgrade the Avada (Fusion) Builder plugin to a version newer than 3.15.3 that includes the path‑validation fix.
  • If an upgrade cannot be performed immediately, block unauthenticated access to the wp_ajax_nopriv_fusion_form_submit_ajax endpoint using a firewall rule or server‑side configuration, thereby preventing the cleanup routine from executing on unauthorized submissions.
  • Constrain file‑system permissions so the web server’s process cannot write to critical WordPress directories (e.g., wp-config.php), reducing the impact of any remaining path‑traversal attempts.

Generated by OpenCVE AI on June 24, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress
Vendors & Products Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress

Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.
Title Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}


Subscriptions

Themefusion Fusion Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-22T14:57:00.863Z

Reserved: 2026-05-15T20:33:46.821Z

Link: CVE-2026-8713

cve-icon Vulnrichment

Updated: 2026-06-22T14:56:57.257Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')