Security Bulletin for 26 June 2026: Critical File Deletion in Avada Builder and Code Injection in RD Station, Plus a Status Follow-up on Two Open Flaws

This is our daily security overview, in which we review the newly published vulnerabilities and pick out the ones that genuinely matter for running WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. For 26 June 2026 we single out two critical WordPress plugin vulnerabilities and then provide a status follow-up on the two flaws we reported as still unpatched on 23 June.

CVE-2026-8713 — Unauthenticated File Deletion in the Avada (Fusion) Builder Plugin (critical)

The widely used Avada (Fusion) Builder plugin by ThemeFusion, which ships together with the popular Avada theme and is used on more than one million WordPress sites, contains a critical vulnerability in all versions up to and including 3.15.3 that allows unauthenticated attackers to delete arbitrary files on the server. The cause is insufficient validation of the file path in the maybe_delete_files cleanup routine, which makes it possible — by way of directory traversal (CWE-22) — to reach files outside the intended directory. Exploitation requires that a published Avada form configured to save its entries to the database exists on the site; through the responsible AJAX handler an attacker can then, without any login, submit a manipulated path such as /wp-content/uploads/fusion-forms/../../../wp-config.php and force its immediate deletion. It is precisely this case that is so dangerous, because removing the central wp-config.php file resets WordPress to its installation state and can thereby allow an attacker to take over the site completely, up to and including the execution of their own code. The National Vulnerability Database carries the rating of 9.1 assigned by Wordfence and therefore classifies the vulnerability as critical. A fix is available in version 3.15.4, to which operators should update without delay; where that is not immediately possible, any affected Avada forms with database storage should be temporarily deactivated.

Sources: National Vulnerability Database — CVE-2026-8713 · Wordfence advisory

CVE-2026-49774 — Code Injection in the RD Station Plugin (critical)

A code injection vulnerability has been discovered in all versions up to and including 5.6.0 of the WordPress plugin RD Station, which connects WordPress sites to the marketing platform of the same name, allowing an attacker to inject and execute their own program code. Unlike the flaw described above, this one does not require fully anonymous access but rather an already authenticated account with low privileges — such as the “Contributor” role, which is granted on many editorially run sites. Because the impact extends beyond the boundaries of the privileges actually assigned, the rating is correspondingly high: the National Vulnerability Database carries the rating of 9.9 assigned by Patchstack and classifies the vulnerability as critical and as belonging to weakness class CWE-94 (improper control of code generation). Operators should update the plugin to version 5.7.0 or newer without delay.

Sources: National Vulnerability Database — CVE-2026-49774 · Patchstack — RD Station RCE

Follow-up: Status of the Still-Unpatched Flaws Reported on 23 June

In our bulletin of 23 June we listed two vulnerabilities for which no correction was available at the time. After re-checking the primary sources, both remain without a fix: for the unauthenticated file-download flaw in the Frontend File Manager plugin (CVE-2026-8379, all versions up to and including 23.6) and for the reflected cross-site scripting in the Simple Basic Contact Form plugin (CVE-2026-8172, all versions up to and including release 20250114), the National Vulnerability Database, as of 23 June 2026, still lists no corrected version. As long as that remains the case, the interim measures already named continue to apply: deactivating the respective plugin where it is not strictly needed, restricting access to the affected endpoints, and filtering suspicious requests through a web application firewall.

Sources: National Vulnerability Database — CVE-2026-8379 · National Vulnerability Database — CVE-2026-8172

Not sure whether you’re affected? Get in touch.

---

This bulletin is provided for security awareness. The official notices from the respective vendors and the sources linked above always take precedence.