Security · June 19, 2026 · 2 min read

Avada Builder has a critical file deletion flaw

Avada Builder users should update now. A patched flaw can let attackers delete server files without logging in.

Reading

WPWithin

If you use Avada Builder, update it now. A newly patched flaw can let attackers delete key files without logging in, and that can open the door to a full site takeover.

Update Avada Builder now

Wordfence reported a critical flaw in the premium Avada Builder plugin. The bug lets an attacker delete files on the server without an account. If the attacker removes a file like wp-config.php, they may then run their own code on the server, which means they can take over the site.

This affects sites that use Avada Builder and also have a published Avada form set to save entries to the database. Wordfence says the plugin has about 1,000,000 active installs, so this reaches a lot of sites. Sites that do not use a published Avada form with database entry storage do not match the attack setup Wordfence described. That said, the plugin still needs the patch.

Update Avada Builder to the latest patched version now. If you cannot update right away, unpublish any Avada forms that save entries to the database until you do. Wordfence says its firewall already blocks this attack for users who run it, but that does not replace the update.

End of article

Weekend Within · Free

If you found this useful, subscribe free.

The Weekend Within roundup ships every weekend. Six minutes. The WordPress news that matters, translated out of developer-speak. Unsubscribe any time.

↓ Read next

Check for rogue admins if you use OptinMonster, TrustPulse, or PushEngage

Security · 3 min