External risk intelligence

Avada Fusion Builder Arbitrary File Deletion Leading to Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-8713

The vulnerability resides in a WordPress plugin component that handles form submissions via an unauthenticated AJAX endpoint. Since WordPress sites and their contact/submission forms are designed to be publicly accessible to anonymous internet users for interaction, this service is inherently exposed to the public internet by design.

Path Traversal

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

The Avada (Fusion) Builder plugin for WordPress has a critical vulnerability that could allow unauthenticated attackers to delete arbitrary files on a server. This could potentially lead to the execution of malicious code, impacting the integrity and availability of the WordPress site. The main concern is confirming if this plugin is in use and assessing potential exposure.

Attackers can delete server files.
It enables remote code execution.
Confirm use and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by submitting a specially crafted payload to a publicly accessible Avada form. This payload leverages a path-traversal flaw in the plugin's file handling to delete arbitrary files on the server. When combined with specific form configurations, this deletion can lead to remote code execution without any user interaction.

Unauthenticated access to a published Avada form.
Submitting a path-traversal payload to the form submission handler.
Arbitrary file deletion, potentially leading to code execution.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could delete arbitrary files on a WordPress server running the Avada (Fusion) Builder plugin. This could lead to the deletion of critical configuration files, potentially resulting in remote code execution.

Server files, including configuration.
Via path traversal in form submissions.
Remote code execution possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in the Avada (Fusion) Builder plugin for WordPress impacts any site using the plugin, particularly those with published forms that save entries to the database. The first step for technical leaders and system owners is to identify all instances of the Avada (Fusion) Builder plugin across their WordPress estate, confirm if the vulnerable functionality is exposed externally and actively used, and then determine the accountable application owner for remediation.

WordPress application owners should own remediation.
Verify exposed form submission endpoints.
Plan vendor coordination for updates.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Avada Fusion Builder plugin?

Avada Fusion Builder is a drag-and-drop page builder plugin for WordPress used to design custom website layouts. It includes form-handling features that allow site visitors to submit data, which the plugin can process and store in the WordPress database. Because it is a core component of the Avada ecosystem, it is often installed alongside the Avada theme to provide advanced design and interaction capabilities.

What does CWE-22 mean for CVE-2026-8713?

CVE-2026-8713 is classified as CWE-22, which stands for Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal. This means the software fails to properly sanitize user input when defining file paths. In this specific case, an attacker can manipulate input fields to escape intended directories, allowing them to target and delete arbitrary files elsewhere on the server's file system.

How can an attacker trigger this vulnerability?

An attacker triggers the flaw by submitting a malicious request to a published Avada form that is configured to save entries to the database. The attack requires crafting a path-traversal payload and manipulating specific privacy-related form fields to force the system to perform an immediate cleanup action. If the form is not configured to save entries to the database, or if there is no published form accessible to the attacker, the specific automatic cleanup routine is not invoked.

Is my site at risk according to Halo Surface Signal?

Halo Surface Signal indicates a high likelihood of risk because the vulnerability exists within a WordPress plugin component specifically designed to handle form submissions via public AJAX endpoints. Since these forms are intended to be accessible to anonymous visitors for interaction, the affected functionality is inherently exposed to the public internet. If you have any published forms using this plugin, your site is directly reachable by external actors.

What should I do if I use this plugin?

First, locate all WordPress instances in your environment where the Avada Fusion Builder plugin is active. Once identified, determine which sites have public-facing forms that save entries to the database, as these are the primary targets. Coordinate with your application owners to prioritize these specific instances for updates and verify that your form configurations do not inadvertently expose your server to this cleanup-routine flaw.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.