Avada Builder Vulnerabilities Impact One Million WordPress Sites

Avada Builder Vulnerabilities Affect One Million WordPress Sites

Last updated on May 14, 2026May 14, 2026 by Souvik Banerjee on Categories WordPress

Table of Contents

Recent revelations concerning two vulnerabilities in the Avada Builder plugin for WordPress have jeopardized approximately one million websites, exposing them to the risks of arbitrary file reading and SQL injection attacks.

As reported by Wordfence on May 12, these critical flaws were identified by independent researcher Rafie Muhammad through the Wordfence Bug Bounty Program, with initial reports made on March 21.

Flaws in SVG Shortcode and Post Cards

The first vulnerability, designated as CVE-2026-4782, pertains to an arbitrary file reading issue, garnering a CVSS score of 6.5. This flaw resides within the plugin’s

fusion_get_svg_from_file function, which is executed via the fusion_section_separator shortcode when the custom_svg parameter is activated.

Lamentably, the function neglects to validate file types or sources. Therefore, authenticated users with merely subscriber-level access are able to access sensitive files on the server, including wp-config.php, which contains vital database credentials, cryptographic keys, and salts.

For additional insights on WordPress plugin vulnerabilities: Flaw in Slider Revolution Plugin Breaches 4 Million WordPress Sites

The second vulnerability, identified as CVE-2026-4798, represents a more grave unauthenticated time-based SQL injection in the product_order parameter, meriting a high CVSS score of 7.5.

Despite the plugin’s use of sanitize_text_field() on the input, this function fails to adequately counter SQL injection attacks. The ensuing ORDER BY clause is incorporated into the query without employing WordPress’s prepare() method for proper escaping.

This vulnerability is exploitable solely on sites where WooCommerce had been installed and subsequently deactivated.

Disclosure and Remediation Timeline

On March 24 and 25, Wordfence provided a comprehensive disclosure to the Avada development team, which commenced rectification efforts immediately thereafter.

An initial patch was released in version 3.15.2 on April 13, followed by a comprehensive fix in version 3.15.3 on May 12.

Wordfence has urged website administrators to implement the update without hesitation. Given the potential implications of these vulnerabilities, site owners may also consider the following defensive strategies:

A computer monitor displaying the Wordfence security dashboard sits on a desk in a server room, with a keyboard and coffee cup nearby.

Conducting audits of subscriber accounts created around the disclosure period.
Rotating credentials housed in wp-config.php if indicators of compromise exist.
Monitoring admin-ajax.php traffic for anomalies that reference the compromised shortcode.

Source link: Infosecurity-magazine.com.

Disclosure: This article is for general information only and is based on publicly available sources. We aim for accuracy but can't guarantee it. The views expressed are the author's and may not reflect those of the publication. Some content was created with help from AI and reviewed by a human for clarity and accuracy. We value transparency and encourage readers to verify important details. This article may include affiliate links. If you buy something through them, we may earn a small commission — at no extra cost to you. All information is carefully selected and reviewed to ensure it's helpful and trustworthy.

Reported By

Souvik Banerjee

I’m Souvik Banerjee from Kolkata, India. As a Marketing Manager at RS Web Solutions (RSWEBSOLS), I specialize in digital marketing, SEO, programming, web development, and eCommerce strategies. I also write tutorials and tech articles that help professionals better understand web technologies.