How is CVE-2026-54193 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (required): A low-privilege account is sufficient; specifically, a contributor-level WordPress account is all that is needed to trigger the file deletion. Victim interaction (not-required): The attacker does not need to trick any other user into performing an action; the exploit is self-contained. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, memory-layout dependencies, or other environmental factors to succeed.

What is the impact of CVE-2026-54193?

Attacker deletes arbitrary files on the server, including WordPress core files, theme files, or plugin files, breaking site functionality. Critical configuration files such as wp-config.php can be removed, exposing database credentials or making the site unrecoverable without a backup restore. Deletion of key files causes the site to go fully offline, resulting in a sustained denial of service for end users. Because the CVSS scope is Changed (S:C), impact extends beyond the WordPress application itself and can affect other resources or services sharing the same host filesystem.

Back to search

HIGHCVE-2026-54193Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54193: WordPress Fusion Builder plugin <= 3.15.4 - Arbitrary File Deletion vulnerability

Q: What is CVE-2026-54193?

An arbitrary file deletion vulnerability affects the Fusion Builder WordPress plugin at version 3.15.4 and earlier. The flaw is reachable over the network and requires only a low-privilege (contributor-level) account to exploit, with no victim interaction needed. Successful exploitation allows an attacker to delete arbitrary files on the server, which can destroy application data, remove configuration files, or render the site unavailable. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-54193 patched?

No fix version has been published for CVE-2026-54193. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention once a fix version is confirmed.

Contributor Arbitrary File Deletion in Fusion Builder <= 3.15.4 versions.

CVSS v3.1: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file deletion vulnerability affects the Fusion Builder WordPress plugin at version 3.15.4 and earlier. The flaw is reachable over the network and requires only a low-privilege (contributor-level) account to exploit, with no victim interaction needed. Successful exploitation allows an attacker to delete arbitrary files on the server, which can destroy application data, remove configuration files, or render the site unavailable. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-54193 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including Patchstack. Coverage extends to custom-built images that bundle the Fusion Builder plugin, not just images pulled from public registries.

Available

Triage

HarborGuard scores this CVE at 7.7 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency. Triage routing directs findings to the appropriate team inbox within the customer organization based on configured policy rules.

Available

Patch

No fix version has been published for CVE-2026-54193. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationRequired
A low-privilege account is sufficient; specifically, a contributor-level WordPress account is all that is needed to trigger the file deletion.
Victim interactionNot required
The attacker does not need to trick any other user into performing an action; the exploit is self-contained.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, memory-layout dependencies, or other environmental factors to succeed.

Blast Radius

Attacker deletes arbitrary files on the server, including WordPress core files, theme files, or plugin files, breaking site functionality.
Critical configuration files such as wp-config.php can be removed, exposing database credentials or making the site unrecoverable without a backup restore.
Deletion of key files causes the site to go fully offline, resulting in a sustained denial of service for end users.
Because the CVSS scope is Changed (S:C), impact extends beyond the WordPress application itself and can affect other resources or services sharing the same host filesystem.

How HarborGuard Handles This

Available on HarborGuard: detection for this vulnerability is active and matched against all images that bundle Fusion Builder 3.15.4 or earlier. Because no upstream fix has been published, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run plus a PR against affected workloads the moment a fix version is confirmed. In the interim, compensating controls are recommended: apply network-policy rules to restrict contributor-level access to administrative endpoints, enforce the principle of least privilege on WordPress user roles, and consider filesystem-level protections (such as read-only mounts for critical directories) where your deployment model permits. Where compliance policy allows, HarborGuard can surface these compensating-control findings as policy exceptions to keep affected workloads under active review until the patch is available.

See how HarborGuard automates this

Affected packages

ThemeFusion / Fusion Builder
≤ 3.15.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

References

patchstack.com

Metrics

Get notified