{"vulnerability": "CVE-2026-8713", "sightings": [{"uuid": "457692e5-8aa9-4152-b292-445768073111", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-8713", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116776306465494065", "content": "CVE-2026-8713: CRITICAL path traversal (CVSS 9.1) in Avada (Fusion) Builder \u22643.15.3. Unauthenticated file deletion possible; RCE risk if wp-config.php is removed. Restrict access, monitor usage, check vendor for fixes. https://radar.offseq.com/threat/cve-2026-8713-cwe-22-improper-limitation-of-a-path-82beab53eaced0fc #OffSeq #WordPress #Infosec", "creation_timestamp": "2026-06-19T10:30:30.282516Z"}, {"uuid": "62e32948-33ec-4cdf-ba26-bf0f2a432c06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-8713", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mon563pgxv2l", "content": "CRITICAL path traversal in Avada (Fusion) Builder \u22643.15.3 lets unauthenticated attackers delete files \u2014 risking remote code execution. Restrict access, monitor activity, &amp; check vendor advisories. https://radar.offseq.com/threat/cve-2026-8713-cwe-22-improper-limitation-of-a-path-82beab53eaced0fc ...", "creation_timestamp": "2026-06-19T10:30:30.480265Z"}, {"uuid": "278fb18d-f980-407e-8006-25455ccb219c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8713", "type": "seen", "source": "https://bsky.app/profile/undercodenews.bsky.social/post/3mongltu7ft2a", "content": "CVE-2026-8713: The Silent WordPress Plugin Flaw That Could Erase Your Entire Website in Seconds +\u00a0Video\n\nA Hidden Danger Inside One of WordPress\u2019 Most Popular Builders In the vast ecosystem of WordPress plugins, few tools are as widely used for page design and form building as the Avada Builder\u2026", "creation_timestamp": "2026-06-19T13:19:15.836110Z"}, {"uuid": "1e0b5501-1d98-4b02-b76f-eb6e6d201c6d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8713", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3moostal2o52d", "content": "Top 3 CVE for last 7 days:\nCVE-2026-50656: 26 interactions\nCVE-2026-54420: 26 interactions\nCVE-2026-20262: 20 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-20253: 6 interactions\nCVE-2026-47729: 5 interactions\nCVE-2026-8713: 4 interactions\n", "creation_timestamp": "2026-06-20T02:30:48.822569Z"}, {"uuid": "c3ff26d1-324b-4d50-aaf7-0562d427ea02", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-8713", "type": "seen", "source": "https://bsky.app/profile/ahmandonk.bsky.social/post/3mosdmdph4v2t", "content": "\ud83d\udcf0 Peretas Eksploitasi Celah Keamanan Kebocoran Informasi pada Plugin WordPress Gravity SMTP\n\n\ud83d\udc49 Baca artikel lengkap di sini: https://ahmandonk.com/2026/06/21/peretas-eksploitasi-celah-api-gravity-smtp-wordpress/\n\n#avadaBuilder #celahKeamanan #cve-2026-4020 #cve-2026-8713 #exploit #gravitySmtp ", "creation_timestamp": "2026-06-21T12:11:05.519845Z"}, {"uuid": "a1ee76e6-66e8-4428-b695-d276979ff925", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8713", "type": "seen", "source": "https://bsky.app/profile/securitycyberuk.bsky.social/post/3motn45ueih2b", "content": "\ud83d\udea8  ALERT: CVE-2026-8713\n\nCVSS 9.1/10\n\n\ud83d\udccb WHAT IT IS:\nThe Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenti", "creation_timestamp": "2026-06-22T00:31:43.229927Z"}, {"uuid": "9830279c-f308-4578-b499-73bc7db6faad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8713", "type": "seen", "source": "https://bsky.app/profile/mysites.guru/post/3mouxahndsg24", "content": "Avada Builder 3.15.4 patches CVE-2026-8713: unauthenticated arbitrary file deletion (CVSS 9.1). Delete wp-config.php, WordPress drops to setup mode, an attacker's path to full RCE.\n\nFind affected sites:\nmysites.guru/blog/avada-b...", "creation_timestamp": "2026-06-22T13:05:45.529105Z"}, {"uuid": "a0169fa0-9f4c-4537-b068-9ea1f93f3733", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8713", "type": "seen", "source": "https://bsky.app/profile/mysites.guru/post/3mowzzenxmx2r", "content": "Avada Builder 3.15.4 patches CVE-2026-8713: unauthenticated arbitrary file deletion (CVSS 9.1). Delete wp-config.php, WordPress drops to setup mode, an attacker's path to full RCE.\n\nFind affected sites:\nmysites.guru/blog/avada-b...", "creation_timestamp": "2026-06-23T09:00:47.889374Z"}, {"uuid": "24dd6c77-5592-44d9-8fab-df0ad0a9dec3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8713", "type": "seen", "source": "https://bsky.app/profile/donwebmedia.bsky.social/post/3mpl5z5jkqh2k", "content": "Avada Builder CVE-2026-8713: 1M sitios en riesgo\n\nCVE-2026-8713 en Avada Builder permite borrar wp-config.php sin login y tomar control total del sitio. \u00bfTen\u00e9s versi\u00f3n 3.15.3 o anterior? Actualiz\u00e1 ya.\n\n#avadabuilder #cve20268713 #pathtraversal #borradodearchivos #wordpressplugin", "creation_timestamp": "2026-07-01T09:05:30.454160Z"}]}