On May 13th, 2026, we received a submission for a critical Unauthenticated Arbitrary File Deletion vulnerability in Avada Builder, a premium WordPress plugin with an estimated 1,000,000 active installations. This vulnerability makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file, such as wp-config.php, is deleted. Exploitation requires a published Avada form configured to save entries to the database.
The post Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin appeared first on Wordfence.
This article has been indexed from Blog – Wordfence
Read the original article: