THREATOPS
THREAT OPSThreat News › Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin

Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin

medwordfencePublished 2026-06-18

<p>On May 13th, 2026, we received a submission for a critical Unauthenticated Arbitrary File Deletion vulnerability in <a href="https://avada.com/" rel="noopener" target="_blank">Avada Builder</a>, a premium WordPress plugin with an estimated 1,000,000 active installations. This vulnerability makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://www.wordfence.com/blog/2026/06/critical-unauthenticated-arbitrary-file-deletion-vulnerability-patched-in-avada-builder-wordpress-plugin/