Avada Builder WordPress plugin flaws allow site credential theft

Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database.

One of the flaws is tracked as CVE-2026-4782 and can be exploited in all versions of the plugin through 3.15.2 by an authenticated users with at least subscriber-level access to read the contents of any file on the server.

The other security issue received the identifier CVE-2026-4798 and is an SQL injection that can be leveraged without authentication. However, exploitation is possible only if the WooCommerce e-commerce plugin for WordPress has been enabled and then deactivated.

Avada Builder is a drag-and-drop webpage builder plugin for the Avada WordPress theme that lets you create and customize website layouts, content sections, and design elements without writing code.

The two issues were discovered by security researcher Rafie Muhammad, who reported them through the Wordfence Bug Bounty Program and received $3,386 and $1,067, respectively, for the findings.

Wordfence explains that the arbitrary file read is possible via the plugin’s shortcode-rendering functionality and the custom_svg parameter. The issue is that the plugin does not properly validate file types or sources, allowing access to sensitive files such as wp-config.php, which typically contains database credentials and cryptographic keys.

Access to wp-config.php can lead to the compromise of an administrator account and full site takeover.

Although the flaw received a medium-severity rating because it requires subscriber-level access, the requirement does not represent a barrier, as many WordPress sites offer user registration.

The time-based blind SQL injection flaw tracked as CVE-2026-4798 affects Avada Builder versions through 3.15.1. The issue exists because user-controlled input from the product_order parameter was inserted into an SQL ORDER BY clause without proper query preparation.

The flaw can be exploited by unauthenticated attackers to extract sensitive information from the site database, including password hashes. The prerequisite for exploiting it is to have used WooCommerce and then deactivated it, and its database tables must be intact.

The two flaws were submitted to Wordfence on March 21 and reported to the Avada Builder publisher on March 24. A partial fix, version 3.15.2, was released on April 13, while the fully patched version 3.15.3 was released on May 12.

Impacted website owners/admins are advised to update to Avada Builder version 3.15.3 as soon as possible.