CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 19, 2026

Critical WordPress Plugin Vulnerability Exposes 1 Million Sites to File Deletion Attacks

Cybersecurity News Archived Jun 19, 2026 ✓ Full text saved

A critical security vulnerability in the widely used Avada (Fusion) Builder WordPress plugin has exposed over 1 million websites to arbitrary file-deletion attacks, potentially leading to full-site compromise and remote code execution. The flaw, tracked as CVE-2026-8713 with a CVSS score of 9.1, was discovered by security researcher “daroo” and reported through the Wordfence Bug […] The post Critical WordPress Plugin Vulnerability Exposes 1 Million Sites to File Deletion Attacks appeared first o

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Critical WordPress Plugin Vulnerability Exposes 1 Million Sites to File Deletion Attacks By Abinaya June 19, 2026 A critical security vulnerability in the widely used Avada (Fusion) Builder WordPress plugin has exposed over 1 million websites to arbitrary file-deletion attacks, potentially leading to full-site compromise and remote code execution. The flaw, tracked as CVE-2026-8713 with a CVSS score of 9.1, was discovered by security researcher “daroo” and reported through the Wordfence Bug Bounty Program. The researcher received a $3,600 reward for the finding. The vulnerability affects all plugin versions up to 3.15.3 and has been patched in version 3.15.4. Avada WordPress Plugin Vulnerability The issue stems from improper file path validation in the plugin’s file-deletion logic in the maybe_delete_files() function. This flaw allows unauthenticated attackers to delete arbitrary files on the server by exploiting a path-traversal vulnerability. Attackers can abuse Avada’s form builder feature, specifically when a form is configured to store submissions in the database. By submitting a crafted payload containing directory traversal sequences, an attacker can manipulate file paths and target sensitive files outside the intended upload directory. The attack requires a publicly accessible Avada form with database storage enabled. An attacker submits a malicious form entry containing a path such as: /wp-content/uploads/fusion-forms/../../../wp-config.php. The Wordfence firewall detects the path traversal attempt in form data and blocks the request ( source: Wordfence) Due to missing validation checks, the plugin processes this input during its automated privacy cleanup routine. The system then deletes the targeted file using WordPress’s native file deletion function. Notably, the attacker can trigger this cleanup process immediately by controlling specific form parameters, requiring no authentication or administrator interaction. Deleting critical files, such as wp-config.php, forces WordPress into a setup state. This can allow attackers to reconfigure the site using a malicious database, ultimately leading to full site takeover and remote code execution. Given the plugin’s popularity and the ease with which it can be exploited, this vulnerability poses a significant risk to affected websites. The vulnerability was reported through Wordfence on May 13, 2026, validated and disclosed to the vendor on May 15, and patched by the Avada team on May 19. The fix was officially released in Avada version 3.15.4 on June 2, 2026. Users are strongly advised to update to Avada Builder version 3.15.4 immediately. Websites running outdated versions remain vulnerable to active exploitation. Wordfence users are protected against this attack through built-in firewall rules that detect and block path traversal attempts in form submissions. The root cause lies in the plugin’s failure to enforce directory containment checks or resolve file paths securely. Without validating the final resolved path, the system allows traversal sequences to escape the intended directory, enabling arbitrary file deletion. This case highlights the ongoing risks of insufficient input validation in file-handling functions. It reinforces the importance of secure coding practices in plugin development. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks Critical Chrome Vulnerabilities Allow Attackers to Execute Arbitrary Code – Update Now! ErrTraffic MaaS Uses Fake reCAPTCHA and Cloudflare Turnstile Lures to Execute PowerShell Commands HazyBeacon Weaponizes AWS Lambda Function URLs for Stealth Command-and-Control Relays Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets Latest News Cyber Security Microsoft June 2026 Update Bug Exposes Recycle Bin Filenames in Deletion Dialog AWS HazyBeacon Weaponizes AWS Lambda Function URLs for Stealth Command-and-Control Relays Cyber Security News Hackers Abuse Third-Party Okendo Reviews Script to Spread SmartApeSG Malware Campaign Cyber Security News INC Ransomware Uses Rust-Based Windows and Linux/ESXi Encryptors in New Attacks Cyber Security News CISA Urges Hardening Fortinet Devices Following FortiBleed Attack
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 19, 2026
    Archived
    Jun 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗