Avada Builder WordPress plugin flaws allow site credential theft Home News Security Avada Builder WordPress plugin flaws allow site credential theft Bill Toulas May 15, 2026 11:56 AM Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database. One of the flaws is tracked as CVE-2026-4782 and can be exploited in all versions of the plugin through 3.15.2 by an authenticated users with at least subscriber-level access to read the contents of any file on the server.
The other security issue received the identifier CVE-2026-4798 and is an SQL injection that can be leveraged without authentication. However, exploitation is possible only if the WooCommerce e-commerce plugin for WordPress has been enabled and then deactivated. Avada Builder is a drag-and-drop webpage builder plugin for the Avada WordPress theme that lets you create and customize website layouts, content sections, and design elements without writing code.
The two issues were discovered by security researcher Rafie Muhammad, who reported them through the Wordfence Bug Bounty Program and received $3,386 and $1,067, respectively, for the findings. Wordfence explains that the arbitrary file read is possible via the plugin’s shortcode-rendering functionality and the custom_svg parameter. The issue is that the plugin does not properly validate file types or sources, allowing access to sensitive files such as wp-config.php, which typically contains database credentials and cryptographic keys.
Access to wp-config.php can lead to the compromise of an administrator account and full site takeover. Although the flaw received a medium-severity rating because it requires subscriber-level access, the requirement does not represent a barrier, as many WordPress sites offer user registration. The time-based blind SQL injection flaw tracked as CVE-2026-4798 affects Avada Builder versions through 3.15.1.
The issue exists because user-controlled input from the product_order parameter was inserted into an SQL ORDER BY clause without proper query preparation. The flaw can be exploited by unauthenticated attackers to extract sensitive information from the site database, including password hashes. The prerequisite for exploiting it is to have used WooCommerce and then deactivated it, and its database tables must be intact.
The two flaws were submitted to Wordfence on March 21 and reported to the Avada Builder publisher on March 24. A partial fix, version 3.15.2, was released on April 13, while the fully patched version 3.15.3 was released on May 12. Impacted website owners/admins are advised to update to Avada Builder version 3.15.3 as soon as possible. The Validation Gap: Automated Pentesting Answers One Question. You Need Six.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. Download Now Hackers abuse Google ads for GoDaddy ManageWP login phishing Hackers exploit critical flaw in Ninja Forms WordPress plugin Funnel Builder WordPress plugin bug exploited to steal credit cards Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin cPanel, WHM emergency update fixes critical auth bypass bug Arbitrary File Read Avada Builder Plugin SQL Injection Website Website Takeover WordPress Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Upcoming Webinar Popular Stories Windows BitLocker zero-day gives access to protected drives, PoC released Dell confirms its SupportAssist software causes Windows BSOD crashes OpenAI confirms security breach in TanStack supply chain attack Sponsor Posts 12 steps to defend against AI-powered exploits before the Glasswing report drops Are stolen sessions bypassing your security?
Find out for free. Overdue a password health-check? Audit your Active Directory for free https://www.nmftacyber.com/ Login Username Password Remember Me Sign in anonymously Sign in with Twitter Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT