Detección y corrección de la vulnerabilidad CVE-2026-8713 en el complemento Avada Builder para WordPress

In mid-May, a critical vulnerability was identified and addressed that compromised the integrity of the infrastructure of websites using a specific design tool within the WordPress content management platform. The official statement regarding the incident was published in Wordfence’s security bulletin on 18 June 2026, detailing the findings once the initial risk had been mitigated.

The incident involved the discovery of a critical-severity vulnerability, catalogued as CVE-2026-8713 with a CVSS score of 9.1, which affected the Avada (Fusion) Builder plugin in all versions up to 3.15.3, potentially impacting over one million active installations worldwide. The flaw stemmed from insufficient validation of file paths within the internal function responsible for periodically clearing form submissions stored in the database, which allowed unauthenticated attackers to delete arbitrary files using path traversal techniques. By submitting tampered parameters via a public form, an attacker could delete essential files from the server, such as “wp-config.php”, forcing WordPress to revert to its initial installation state and allowing a third party to take administrative control of the site. Faced with this scenario, the developer reacted by swiftly implementing and releasing version 3.15.4 of the plugin to fully resolve this security flaw.

The security firm Wordfence has now confirmed that its web firewall rules are actively configured to detect and block any exploitation attempts that seek to use the directory traversal vulnerability in Avada’s form data. The official recommendations issued by the developers explicitly state that system administrators using this plugin must immediately apply the update to version 3.15.4 to mitigate any persistent risk vectors in their production environments.