HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-8713Published Modified CNA Wordfence

CVE-2026-8713: Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value

The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An arbitrary file deletion vulnerability exists in the Avada (Fusion) Builder WordPress plugin (versions up to and including 3.15.3). The flaw is reachable over the network with no authentication required, and no action from a victim is needed; an attacker submits a path-traversal payload through a public AJAX handler that the plugin exposes for unauthenticated form submissions. Successful exploitation lets an attacker delete arbitrary files on the server, including wp-config.php, which removes the installation's secret keys and database credentials and is a well-known stepping stone to full remote code execution. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-8713 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Wordfence and the NVD) within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle the Avada (Fusion) Builder plugin.

Available
Triage

Triage is available with a pre-computed CVSS v3.1 score of 9.1 (Critical), weighted against each environment's compliance policy to set urgency and priority; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

No upstream fix version has been published for CVE-2026-8713. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the Avada (Fusion) Builder maintainers ship a remediated release; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable AJAX handler (wp_ajax_nopriv_fusion_form_submit_ajax) is exposed over HTTP/HTTPS, so the attacker must be able to reach the WordPress site across the network.

  • AuthenticationNot required

    The handler is registered under wp_ajax_nopriv, meaning no WordPress account or session of any privilege level is needed to submit the malicious payload.

  • Victim interactionNot required

    The attack is fully self-contained: the attacker submits the path-traversal form entry and forces immediate cleanup via the same request chain, with no administrator or user action required.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once a published Avada form with database entry saving is present; no race condition, memory layout knowledge, or environmental guesswork is required.

Blast Radius

  • Deletes arbitrary files from the server filesystem, including application source files, configuration files, and credentials.
  • Deletes wp-config.php, which exposes database credentials and authentication secret keys stored in that file and removes the integrity anchor WordPress uses on restart.
  • Triggers remote code execution by removing files that gate access controls or by forcing WordPress into its reinstallation flow, which an attacker can intercept to install a malicious configuration.
  • Crashes or permanently disables the WordPress site by deleting core files, producing a denial-of-service condition for all site visitors.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-8713, HarborGuard continuously monitors the Wordfence and NVD advisory feeds and will surface a patched-image rebuild the moment the Avada (Fusion) Builder maintainers publish a fix. In the interim, compensating controls available to customers include network-policy rules that restrict public ingress to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) to known-safe IP ranges, egress filtering on the container to limit lateral movement if exploitation occurs, and feature-flag gating by disabling database entry saving on all Avada forms until a patch is available. For customers with auto-remediation enabled, the rebuild plus a regression-test run and a PR against affected workloads will be opened automatically once the fix version is published; for environments where compliance policy requires manual approval, HarborGuard will stage the rebuilt image and notify the configured owner inbox for review.

See how HarborGuard automates this
Affected packages
  • themefusion / Avada (Fusion) Builder
    ≤ 3.15.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
References