CVE-2026-8713
Vendor patch released, credible advisory signal; no PoC/KEV confirmation yet.
What: Unauthenticated arbitrary file deletion vulnerability in Avada Fusion Builder WordPress plugin (≤3.15.3), affecting ~1M sites. CVSS 9.1 (Critical).
Why it matters: Posts cite vendor patch available (3.15.4), active discussion of file deletion risk, and widespread WordPress plugin exposure. No public PoC or confirmed in-the-wild exploitation evident; KEV status unknown but high CVSS and patch availability suggest legitimate vulnerability with defender urgency.
Where it's seen: Security feed aggregators (Vulmon, Wordfence), cybersecurity Twitter/Bluesky accounts sharing advisory summaries and patch guidance. Framing emphasizes scale (1M installations) and severity (CVSS 9.1) but limited technical depth on actual exploitation.
RISK: CRITICAL — Unauthenticated RCE/data loss vector on 1M WordPress sites; patch available.
No NVD details ingested for this CVE yet.