CVE-2026-8713 lets attackers delete files in Avada Builder plugin

A critical vulnerability, CVE-2026-8713, has been detected in the Avada Builder plugin for WordPress, impacting around 1 million sites. This flaw allows unauthenticated attackers to delete any server file, including critical WordPress files, by exploiting improper file path validation in the plugin's maybe_delete_files function. The vulnerability is rated 9.1 on the CVSS scale. Administrators are advised to update Avada Builder to version 3.15.4 or later to mitigate the risk. The researcher who discovered the bug received a $3,600 bounty. Immediate action is essential as no confirmed mass exploitation has been reported yet.