On May 13th, 2026, we received a submission for a critical Unauthenticated Arbitrary File Deletion vulnerability in Avada Builder, a premium WordPress plugin with an estimated 1,000,000 active installations. This vulnerability makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file, such as wp-config.php, is deleted. Exploitation requires a published Avada form configured to save entries to the database.

Props to daroo who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $3,600.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in path traversal protection.

We provided full disclosure details to the Avada team through our Wordfence Vulnerability Management Portal on May 15, 2026. The developer acknowledged the report and submitted a patch on May 19, 2026. We would like to commend the Avada team for their prompt response and timely patch.

We urge users to update their sites to the latest patched version of Avada Builder as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value

9.1
CVSS Rating
9.1 (Critical)
CVE-ID
CVE-2026-8713
Affected Version(s)
<= 3.15.3
Patched Version
3.15.4
Bounty
$3,600.00
Affected Software
Avada (Fusion) Builder [fusion-builder]
Researcher
The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.
More Details >

Technical Analysis

Avada Builder is a premium drag-and-drop page builder plugin for WordPress, bundled with the popular Avada theme. It includes a form builder feature that allows site administrators to create custom forms, embed them on pages via a shortcode, and optionally save submitted entries to the database. The form builder also supports a privacy cleanup feature that can automatically delete or anonymize stored submissions after a configurable expiration period.

When the cleanup routine runs, or when the administrator manually deletes the form entry, the plugin invokes the maybe_delete_files() function from the Fusion_Form_DB_Entries class for the stored entry, which is where the actual file deletion takes place:

public function maybe_delete_files( $id, $id_column = 'id' ) {
	$args                           = [];
	$args[ esc_attr( $id_column ) ] = $id;
	$entries                        = $this->get( [ 'where' => $args ] );

	if ( is_array( $entries ) && ! empty( $entries ) ) {
		$upload         = wp_upload_dir();
		$upload['path'] = $upload['basedir'] . '/fusion-forms';
		$upload['url']  = $upload['baseurl'] . '/fusion-forms';

		foreach ( $entries as $entry ) {

			// Check if it holds a file URL.
			if ( $entry && isset( $entry->value ) && false !== strpos( $entry->value, $upload['url'] ) ) {
				$values = explode( ' | ', $entry->value );

				foreach ( $values as $value ) {
					$file_path = str_replace( $upload['url'], $upload['path'], $value );

					// File exists, delete it.
					if ( file_exists( $file_path ) ) {
						wp_delete_file( $file_path );
					}
				}
			}
		}
	}
}

The function searches each stored entry value for the Avada Forms upload URL. If found, it builds a filesystem path by string-replacing the URL prefix with the local upload directory path and deletes the resulting target with the wp_delete_file() function. Unfortunately, the function does not perform any realpath resolution or upload-directory containment check, meaning that path traversal sequences are preserved in the final file path.

By submitting a form with a text field value such as http://victim.com/wp-content/uploads/fusion-forms/․․/․․/․․/wp-config.php, an unauthenticated attacker can plant an entry that causes wp-config.php to be deleted when the entry is removed.

Once wp-config.php is deleted, the WordPress installation enters its initial setup state, which can be leveraged for site takeover by pointing the installation at an attacker-controlled database. From there, the attacker can install plugins or themes containing malicious PHP code, ultimately achieving remote code execution.

As with all arbitrary file deletion vulnerabilities, this can lead to complete site compromise.

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The Wordfence firewall rule detects the path traversal sequence in the submitted form data and blocks the request.

Disclosure Timeline

May 13, 2026 – We received the submission for the Unauthenticated Arbitrary File Deletion vulnerability in Avada Builder via the Wordfence Bug Bounty Program.
May 15, 2026 – We validated the report and confirmed the proof-of-concept exploit. Full disclosure details were sent instantly to the vendor through our Wordfence Vulnerability Management Portal.
May 19, 2026 – The vendor acknowledged the report and submitted a patch.
June 2, 2026 – The fully patched version of the plugin, 3.15.4, was released.

Conclusion

In this blog post, we detailed a critical Unauthenticated Arbitrary File Deletion vulnerability within the Avada Builder plugin affecting all versions up to, and including, 3.15.3. This vulnerability allows unauthenticated threat actors to delete arbitrary files on the server by abusing the form builder’s privacy cleanup feature, leading to complete site compromise when critical files such as wp-config.php are deleted. The vulnerability has been fully addressed in version 3.15.4 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Avada Builder as soon as possible considering the critical nature of this vulnerability.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability by the Wordfence firewall’s built-in path traversal protection.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin appeared first on Wordfence.