A critical vulnerability in the Avada Builder WordPress plugin has left over one million websites susceptible to severe security breaches. The flaw, identified as CVE-2026-8713 with a high CVSS score of 9.1, was discovered by security researcher 'daroo' and reported via the Wordfence Bug Bounty Program. The vulnerability, which affects all versions of the plugin up to 3.15.3, has been resolved in version 3.15.4. This issue arises from improper validation of file paths in the plugin's file-deletion logic, specifically within the maybe_delete_files() function. This oversight allows unauthenticated attackers to perform arbitrary file deletions using a path-traversal vulnerability. Attackers can exploit the plugin's form builder feature by submitting crafted payloads that manipulate file paths, targeting sensitive files. If a form is publicly accessible and configured for database storage, an attacker can submit a malicious entry with a path such as /wp-content/uploads/fusion-forms/../../../wp-config.php, leading to the deletion of critical files. This can force WordPress into a setup state, potentially allowing attackers to reconfigure the site with malicious intent, culminating in a full site takeover. The vulnerability was reported on May 13, 2026, validated and disclosed to the vendor by May 15, and patched by May 19. The patch was officially released on June 2, 2026, in Avada version 3.15.4. Users are urged to update their plugins immediately to avoid exploitation. Wordfence users benefit from built-in firewall rules that block such path traversal attempts. This incident underscores the critical need for secure coding practices, particularly concerning input validation in file-handling functions.