A vulnerability was found in themefusion Avada Builder Plugin up to 3.15.3 on WordPress. It has been declared as critical . Impacted is the function maybe_delete_files of the file wp-config.php of the component Path Validation Handler . Executing a manipulation of the argument privacy_expiration_action can lead to path traversal. This vulnerability is tracked as CVE-2026-8713 . The attack can be launched remotely. No exploit exists.