Avada Builder CVE-2026-8713: Delete wp-config.php, No Login Required
The most-sold WordPress theme of all time has a quiet form-cleanup feature that, under a common set of conditions, lets any unauthenticated visitor delete wp-config.php — no login, no brute force, no prior access required.
CVE-2026-8713 received its full public advisory on June 18, 2026, covering the Avada (Fusion) Builder plugin bundled with Avada, the commercial theme with roughly one million active installations. The flaw scores CVSS 9.1 (Critical) on a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H — network-accessible, no privileges required, no user interaction, high impact on integrity and availability. No confidentiality impact is listed, but losing wp-config.php is a prelude to full site compromise.
The Vulnerable Code
Avada's form builder includes a GDPR-style entry-cleanup routine: when a form submission is purged, any uploaded files attached to it are automatically deleted. The function responsible, maybe_delete_files() inside the Fusion_Form_DB_Entries class, constructs a filesystem path with a simple string replacement:
$file_path = str_replace( $upload['url'], $upload['path'], $value );
No realpath() call. No check that the resulting path stays inside the uploads directory. If $value contains path-traversal sequences, the path walks straight out of /wp-content/uploads/fusion-forms/ and anywhere on the filesystem the web server process can reach — including files it has permission to delete.
The Attack Chain
The attacker submits a crafted form entry through wp_ajax_nopriv_fusion_form_submit_ajax, a publicly accessible AJAX endpoint that requires no authentication. The submission embeds a traversal payload — something like http://victim.com/wp-content/uploads/fusion-forms/../../wp-config.php — where a normal file reference would appear. Two additional fields tell Avada to process deletion immediately: fusion_privacy_expiration_interval set to zero and privacy_expiration_action set to delete.
WordPress's shutdown hook then fires the Fusion_Form_DB_Privacy routine. It processes the entry without any administrator approval, calls maybe_delete_files(), resolves the attacker-controlled path, and removes the file. Aiming at wp-config.php strips out the file holding your database credentials, authentication keys, and table prefix.
With wp-config.php gone, WordPress re-enters setup mode. The next browser visit to the site renders the familiar “Let’s get started!” installation wizard. An attacker who reaches that screen first can point the WordPress installation at a database they control. From there, installing a PHP web shell is straightforward.
The Condition That Makes It Work
The attack is not completely unconditional. For the deletion path to execute, the site must have at least one published Avada form configured to save submissions to the database. That condition is met by the default behavior of virtually every contact form, registration form, and inquiry form built with Avada's form builder — meaning almost any Avada site with user-facing forms qualifies. If you use Avada's form builder for a contact page and allow entry storage (which is the default), you are in scope.
Scale
Avada has held the best-selling position on ThemeForest for over a decade. Fusion Builder ships bundled with the theme and is also sold as a standalone plugin. The roughly one-million active-installation count puts CVE-2026-8713 among the larger-scope WordPress disclosures of 2026, behind the UpdraftPlus auth bypass (3 million installs) and the Kirki account-takeover flaw (500,000 installs) covered here in recent weeks.
A notable difference from those two: CVE-2026-8713 does not expose or exfiltrate data directly. The CVSS confidentiality score is zero because the attack deletes, not reads, files. What it does instead is destroy the structural integrity of a WordPress installation in a way that enables a full site reconstruction under attacker control — which is ultimately worse.
Timeline
- May 13, 2026: Researcher Daroo discovers the flaw and submits it to Wordfence's Bug Bounty Program, earning a $3,600 bounty.
- May 15: Wordfence validates the report and notifies the Avada development team.
- June 2: Avada ships the fix in Fusion Builder version 3.15.4.
- June 18: Wordfence publishes the full public advisory after the standard post-patch disclosure period.
What to Do Right Now
- Update Fusion Builder to 3.15.4 or later. If you run Avada as a theme, update the full theme package — the builder is embedded. If you run Fusion Builder as a standalone plugin, update it independently from the Plugins screen.
- If you cannot update immediately, open your Avada form settings and disable the “Save to Database” option for every published form. This removes the precondition the exploit depends on and eliminates the attack surface until you can patch.
- Verify
wp-config.phpis present and unmodified. If you have file integrity monitoring in place, review it now. If you don’t, this vulnerability is a good prompt to add it — it’s one of the cleaner signals that something has gone wrong. - Review your server access logs for POST requests to
wp_ajax_nopriv_fusion_form_submit_ajaxcontaining..or percent-encoded traversal sequences (%2e%2e). Those patterns indicate reconnaissance or active exploitation attempts against this specific vector.
The Broader Pattern
Path traversal in file-handling code is a perennial WordPress plugin problem precisely because it is invisible to functional testing: the routine works correctly for legitimate inputs and fails only when an attacker crafts a malicious one. Catching it requires dedicated security review of every code path where user-supplied strings reach filesystem operations. CVE-2026-8713 is missing a single realpath() call and a three-line containment check — not a complex oversight, just one that doesn't surface in normal QA.
The patch was available sixteen days before this advisory went public. At Falcon Internet, our 24x7x365 NOC monitoring flags anomalous AJAX traffic patterns, but the most effective defense here is simple and free: install the update.
