Sites running Avada Builder are at serious risk from a now-patched vulnerability that allows anyone — no login required — to delete arbitrary files from the server, potentially handing over complete control of a WordPress installation. The flaw affects all versions of the plugin up to and including 3.15.3, and was fixed in version 3.15.4, released on June 2, 2026.
The vulnerability carries a CVSS score of 9.1 (Critical) and is tracked as CVE-2026-8713. Avada Builder, the page-building component bundled with the popular Avada theme, has an estimated one million active installations, making the attack surface wide. Exploitation requires one precondition: a published Avada form on the site that is configured to save submitted entries to the database.
The attack works by abusing the plugin’s privacy cleanup feature, which is designed to delete uploaded files attached to form submissions after a configurable expiration period. The vulnerable function — maybe_delete_files() in the Fusion_Form_DB_Entries class — builds a file path from stored entry values but performs no validation to confirm the resulting path stays within the intended upload directory. An attacker can submit a form entry containing a path traversal sequence pointing to a sensitive file like wp-config.php, then force the cleanup routine to run immediately by manipulating two additional form fields. No administrator interaction is needed once the entry is planted.
“This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).”
Deleting wp-config.php — the file that holds WordPress database credentials and configuration — causes WordPress to enter its initial setup wizard. An attacker can then point the installation at an attacker-controlled database, create an administrator account, and achieve full remote code execution by installing a plugin or theme carrying malicious PHP. The path from file deletion to site takeover requires no special tooling, and Wordfence’s full disclosure walks through the exploit chain in detail.
The vulnerability was discovered and responsibly reported by a researcher going by the handle daroo through the Wordfence Bug Bounty Program on May 13, 2026. Wordfence sent full technical details to the Avada team on May 15, and a patch was submitted by May 19 — a turnaround of four days. The $3,600 bounty paid to the researcher reflects the severity of the finding.
Sites using any tier of the Wordfence firewall — including the free version — are protected: its path traversal detection blocks the malicious form submission before the entry can be planted. Firewall protection, however, is not a substitute for patching. Any site running Avada Builder at version 3.15.3 or earlier should update to 3.15.4 immediately, particularly if any published forms are configured to store submissions in the database. Sites with no published Avada forms, or forms that do not store entries in the database, are not exposed.
