A severe security flaw in the popular Avada Builder WordPress plugin has put over a million websites at risk of file deletion attacks, which could lead to complete site takeover and remote code execution. Known as CVE-2026-8713 and carrying a CVSS score of 9.1, this vulnerability was identified by security researcher ‘daroo’ through the Wordfence Bug Bounty Program.
Discovery and Impact of the Vulnerability
The researcher received a $3,600 reward for uncovering the vulnerability, which affects all versions of the plugin up to 3.15.3. A patch was released in version 3.15.4 to address this critical issue. The problem originates from inadequate validation of file paths within the plugin’s file deletion function, allowing attackers to exploit a path-traversal flaw.
Malicious actors can utilize Avada’s form builder, especially when configured to store submissions in the database, to delete arbitrary server files. By submitting a crafted payload with directory traversal sequences, attackers can target files beyond the intended file upload directory, posing a significant threat to site security.
Mechanism of the Attack
The attack requires an Avada form that is publicly accessible and has database storage enabled. An attacker can submit a malicious form entry, manipulating file paths to target critical files like wp-config.php. Wordfence’s firewall is capable of detecting and blocking such path traversal attempts.
Due to insufficient validation checks, the plugin processes harmful inputs during its automated privacy cleanup routine, leading to the deletion of targeted files. Attackers can trigger this routine without needing authentication or administrative access, potentially reconfiguring the site with malicious intent.
Response and Recommendations
The vulnerability was reported to Wordfence on May 13, 2026, verified and communicated to the plugin vendor on May 15, and addressed by the Avada team with a patch released on June 2, 2026, in version 3.15.4. Users are strongly encouraged to update to the latest version to protect against exploitation.
This incident underscores the critical importance of secure coding practices and thorough input validation in plugin development. Without proper checks, attackers can manipulate directory paths, enabling unauthorized file deletions. The widespread use and ease of exploitation make this vulnerability particularly dangerous.
Wordfence users benefit from built-in firewall rules designed to detect and prevent such attacks, highlighting the tool’s role in safeguarding WordPress sites. Ensuring plugins are updated and employing comprehensive security measures are vital steps in maintaining site integrity and thwarting potential threats.
