CVE-2026-8713

Name of the Vulnerable Software and Affected Versions Avada (Fusion) Builder versions prior to 3.15.4

Description Insufficient file path validation in the maybe delete files() function allows unauthenticated attackers to delete arbitrary files on the server. This issue can lead to remote code execution if critical files, such as wp-config.php, are deleted. The attack requires a published Avada form configured to save entries to the database. An attacker can submit a path-traversal payload via the 'wp ajax nopriv fusion form submit ajax' endpoint while controlling the fusion privacy expiration interval and privacy expiration action variables to trigger an immediate cleanup. This causes the entry to be processed by the Fusion Form DB Privacy shutdown-hook routine without administrator interaction. Approximately 1,000,000 active installations are potentially affected.

Recommendations Update to version 3.15.4.