A critical unauthenticated arbitrary file deletion vulnerability has been discovered in Avada Builder, a premium WordPress plugin with approximately 1 million active installations. Tracked as CVE-2026-8713 with a CVSS score of 9.1 (Critical), the flaw allows unauthenticated attackers to delete arbitrary files on the server, potentially enabling a full site takeover via remote code execution (RCE). The vulnerability, affecting Avada (Fusion) […]
The post Critical Flaw in WordPress Plugin Allows Arbitrary File Deletion on 1 Million Sites appeared first on Cyber Security News.