Blog Details

Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, enable hackers to read arbitrary recordsdata and extract sensitive data from the database.

One amongst the failings is tracked as CVE-2026-4782 and is liable to be exploited in all variations of the plugin through 3.15.2 by an authenticated users with no longer lower than subscriber-stage earn entry to to read the contents of any file on the server.

The assorted security arena got the identifier CVE-2026-4798 and is an SQL injection that would be leveraged with out authentication. Nonetheless, exploitation is most likely handiest if the WooCommerce e-commerce plugin for WordPress has been enabled after which deactivated.

Avada Builder is a creep-and-tumble webpage builder plugin for the Avada WordPress theme that potential that you can create and customize web space layouts, bellow sections, and compose functions with out writing code.

The 2 points were came all the scheme in which through by security researcher Rafie Muhammad, who reported them throughout the Wordfence Malicious program Bounty Program and got $3,386 and $1,067, respectively, for the findings.

Wordfence explains that the arbitrary file read is most likely throughout the plugin’s shortcode-rendering efficiency and the custom_svg parameter. The topic is that the plugin would now not properly validate file kinds or sources, allowing earn entry to to sensitive recordsdata akin to wp-config.php, which typically comprises database credentials and cryptographic keys.

Access to wp-config.php can lead to the compromise of an administrator yarn and whole space takeover.

Despite the truth that the flaw got a medium-severity rating on yarn of it requires subscriber-stage earn entry to, the requirement would now not signify a barrier, as many WordPress sites offer user registration.

The time-essentially based entirely mostly blind SQL injection flaw tracked as CVE-2026-4798 impacts Avada Builder variations through 3.15.1. The topic exists on yarn of user-controlled enter from the product_order parameter used to be inserted into an SQL ORDER BY clause with out finest request preparation.

The flaw would be exploited by unauthenticated attackers to extract sensitive data from the space database, collectively with password hashes. The prerequisite for exploiting it is some distance to own passe WooCommerce after which deactivated it, and its database tables must always restful be intact.

The 2 flaws were submitted to Wordfence on March 21 and reported to the Avada Builder publisher on March 24. A partial fix, model 3.15.2, used to be launched on April 13, while the entirely patched model 3.15.3 used to be launched on Could well well also 12.

Impacted web space householders/admins are told to update to Avada Builder model 3.15.3 as soon as most likely.