Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin (opens in new tab)

On May 13th, 2026, we received a submission for a critical Unauthenticated Arbitrary File Deletion vulnerability in Avada Builder, a premium WordPress plugin with an estimated 1,000,000 active installations. This vulnerability makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file, such as wp-config.php, is deleted. Exploitation requires a published Avada form configured to save entries to the...