CVE-2026-8713: Avada Builder File Deletion RCE

A critical vulnerability in the Avada Builder WordPress plugin (CVE-2026-8713) allows attackers to delete arbitrary files on the web server — including the critical wp-config.php file. Deleting this file forces WordPress into "fresh installation" mode, allowing an attacker to run the WordPress setup wizard and configure the site with their own administrator credentials. The result is complete site takeover and full remote code execution capability.

A patch was released on June 2, 2026 after responsible disclosure on May 15, 2026. Avada is one of the most commercially successful WordPress themes, with over 900,000 licenses sold, making this a very broad attack surface.

Affected Software and Versions

CVE-2026-8713 affects all versions of the Avada Builder plugin prior to the June 2, 2026 patched release. The vulnerability was disclosed May 15, 2026. CVSS Score: Critical. Attack vector: network. Exploitation activity has been observed.

What Is the Vulnerability?

Avada Builder contains an arbitrary file deletion vulnerability. The plugin includes functionality to clean up or remove files as part of its page-building operations, but the code handling these file operations does not properly restrict which files can be targeted. An attacker who can access this vulnerable functionality can supply a path to any file readable and deletable by the web server process — including files far outside the intended scope of the plugin's legitimate operations.

How the Attack Works

Stage 1: Delete wp-config.php

The attacker sends a crafted request to the Avada Builder's vulnerable file deletion endpoint, specifying wp-config.php (WordPress's core configuration file containing database credentials, secret keys, and authentication salts) as the deletion target.

When wp-config.php is deleted, WordPress enters "installation mode" — it detects that the configuration file is missing and displays the setup wizard, exactly as it would on a brand-new WordPress installation.

Stage 2: Run the WordPress Setup Wizard

With the setup wizard exposed, the attacker visits https://targetsite.example.com/wp-admin/install.php and runs through the wizard, which prompts for a site title, a new admin username and password, and the admin email address. WordPress happily accepts these inputs and creates a new administrator account with whatever credentials the attacker specifies. The existing database and all site content remain intact — only the wp-config.php file was deleted, and WordPress re-creates it as part of the setup wizard.

Stage 3: Full Site Takeover

The attacker now has valid administrator credentials. From WordPress admin, they can:

• Deploy PHP backdoors via plugin or theme file upload
• Execute arbitrary server-side code through a malicious plugin
• Exfiltrate the entire database including all user data, orders, and content
• Redirect all site traffic to phishing or malware pages
• Persist access through multiple backdoors and rogue admin accounts

The net result is Remote Code Execution (RCE) and complete site compromise, achieved by chaining an arbitrary file deletion with WordPress's built-in reinstallation behavior.

Active Exploitation

Exploitation activity has been observed. The vulnerability was disclosed on May 15, 2026, with a patch released June 2, 2026. The window between disclosure and patch created an exposure period, and the attack's simplicity and devastating impact make it an attractive target for automated exploitation campaigns.

Remediation

Immediate Steps

1. Update Avada Builder immediately to the June 2, 2026 patched release via the WordPress admin dashboard under Plugins → Updates. If you purchased Avada through ThemeForest, check for an update in your Envato account or via the Avada automatic update system.
2. Verify wp-config.php exists in your WordPress root directory:

   ls -la /var/www/html/wp-config.php

   If it is missing, your site may have already been compromised. Do not run the setup wizard — instead, restore wp-config.php from a backup and audit your site for backdoors immediately.
3. Audit administrator accounts. Check for any new or unrecognized administrator users:
   • WordPress admin → Users → All Users → filter by "Administrator"
   • Via WP-CLI: wp user list --role=administrator
4. Scan for backdoors in your WordPress installation:

   grep -r "eval(base64_decode" /var/www/html/wp-content/
   grep -r "system(" /var/www/html/wp-content/plugins/

5. Review server access logs for POST requests to Avada Builder endpoints and GET requests to wp-admin/install.php from unexpected IPs.

If You Were Compromised

• Take the site offline immediately.
• Restore the entire WordPress installation from a clean, pre-attack backup.
• Restore wp-config.php with new, rotated database credentials and secret keys.
• Change all legitimate admin passwords.
• Notify affected users if any personal data was exfiltrated.

Mitigations if Immediate Update Is Not Possible

Restrict access to wp-admin/install.php at the NGINX level to prevent the setup wizard from being accessible:

# NGINX — block install.php
location = /wp-admin/install.php {
    deny all;
}

Ensure wp-config.php has the most restrictive file permissions possible:

chmod 400 /var/www/html/wp-config.php

Sources

• GBHackers — Critical WordPress Plugin Bug Could Allow File Deletion Attacks on 1 Million Sites
• Wordfence Intelligence — CVE-2026-8713
• SecurityWeek — Everest Forms Vulnerability Exploited to Hack WordPress Sites