CVE-2026-8713— Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value
Possible ATT&CK Techniques 2AI
T1105 · Ingress Tool Transfer T1068 · Exploitation for Privilege EscalationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| themefusion | Avada (Fusion) Builder | ≤ 3.15.3 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8713
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| themefusion | Avada (Fusion) Builder | 0 ~ 3.15.3 | - |
II. Public POCs for CVE-2026-8713
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-8713
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-8713 (1)
News Coverage for CVE-2026-8713 (1)
IV. Related Vulnerabilities
Same product: Avada (Fusion) Builder
- CVE-2026-1543
Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber - CVE-2026-6279
Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Co - CVE-2026-4782
Avada Builder <= 3.15.2 - Authenticated (Subscriber+) Arbitr - CVE-2026-4798
Avada Builder <= 3.15.1 - Unauthenticated SQL Injection via - CVE-2026-1541
Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber
Same vendor: themefusion
- CVE-2026-56008
WordPress Fusion Builder plugin <= 3.15.4 - Privilege Escala - CVE-2026-54193
WordPress Fusion Builder plugin <= 3.15.4 - Arbitrary File D - CVE-2026-12256
WordPress Avada theme <= 3.15.3 - PHP Object Injection vulne - CVE-2026-54194
WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injec - CVE-2026-1543
Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber
Same weakness: CWE-22
- CVE-2026-54557
mise HTTP backend uses raw version path for install symlink - CVE-2026-56876
extract-zip unvalidated symlink path traversal - CVE-2026-55677
Echo: Encoded slash (%2F) bypasses route-level protection an - CVE-2026-57321
WordPress H5P plugin <= 1.17.7 - Arbitrary File Deletion vul - CVE-2026-56066
WordPress ShortPixel Adaptive Images plugin <= 3.11.4 - Arbi
V. Comments for CVE-2026-8713
No comments yet