Two security vulnerabilities in the Avada Builder plugin for WordPress could allow hackers to read sensitive files from websites and extract private information from their databases.

Avada Builder is a popular drag-and-drop page builder plugin used with the Avada WordPress theme. It allows website owners to create and customize layouts, content sections, and design elements without writing code. The plugin has an estimated one million active installations.

One of the flaws, tracked as CVE-2026-4782, affects all versions of Avada Builder up to 3.15.2. Authenticated users can exploit it with at least subscriber-level access to read any file on the server. While the flaw requires a logged-in user, this is still a serious risk because many WordPress websites allow public user registration.

According to Wordfence, the issue exists in the plugin’s shortcode-rendering feature and its custom_svg parameter. The plugin does not properly validate file types or file sources, which can allow attackers to access sensitive files such as wp-config.php. This file often contains database credentials and cryptographic keys, and access to it can lead to administrator account compromise or even full website takeover.

The second vulnerability, tracked as CVE-2026-4798, is a time-based blind SQL injection flaw that affects Avada Builder versions up to 3.15.1. Unlike the file-read issue, this flaw can be exploited without authentication. However, it only works in cases where the WooCommerce plugin was previously enabled and then deactivated, while its database tables remain intact.

READ
Japan's KDDI Says Cyberattack May Have Exposed 14.22 Million Email Accounts

The SQL injection issue comes from improper handling of user-controlled input in the product_order parameter, which was inserted into an SQL ORDER BY clause without proper query preparation. Attackers could exploit this flaw to extract sensitive information from the site’s database, including password hashes.

Both vulnerabilities were discovered by security researcher Rafie Muhammad and reported through the Wordfence Bug Bounty Program. The researcher received rewards of $3,386 and $1,067 for the findings.

The flaws were submitted to Wordfence on March 21 and reported to the Avada Builder publisher on March 24. A partial fix was released with version 3.15.2 on April 13, while the fully patched version 3.15.3 was released on May 12.

Website owners and administrators using Avada Builder are strongly advised to update the plugin to version 3.15.3 as soon as possible to protect their sites from possible attacks.


Buy ExpressVPN with PayPal or Credit Card

Advertisement