THREAT OPS › Threat News › Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin
Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin
<p>On May 13th, 2026, we received a submission for a critical Unauthenticated Arbitrary File Deletion vulnerability in <a href="https://avada.com/" rel="noopener" target="_blank">Avada Builder</a>, a premium WordPress plugin with an estimated 1,000,000 active installations. This vulnerability makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily
MITRE ATT&CK techniques
Indicators of compromise
- 7965cd13376a540548ec7009cd66b05bmd5
- CVE-2026-8713cve
- https://avada.com/url
- https://www.cve.org/CVERecord?id=CVE-2026-8713url
- www.gravatar.comdomain
- victim.comdomain