A critical security alert has been issued for the Avada Builder WordPress plugin, which is used by more than one million websites. Two vulnerabilities in the plugin could be exploited by attackers to access sensitive data and server files.
Details of the Avada Builder Vulnerabilities
Security experts have identified vulnerabilities in Avada Builder that could be actively targeted if not patched. These flaws, found by researcher Rafie Muhammad through the Wordfence Bug Bounty Program, include an arbitrary file read vulnerability (CVE-2026-4782) and a SQL injection flaw (CVE-2026-4798).
The vulnerabilities affect Avada Builder versions up to 3.15.2 and 3.15.1, respectively, necessitating an immediate update to ensure site security.
Arbitrary File Read Risk
The first vulnerability allows authenticated users with minimal access, such as subscribers, to read sensitive server files. This issue arises from inadequate validation of the “custom_svg” parameter within a shortcode, permitting attackers to access critical files like wp-config.php. This file contains database credentials and security keys essential for site security.
Given a CVSS score of 6.5, this vulnerability is considered medium severity but poses a high practical risk due to the exposure of sensitive information.
SQL Injection Threat
The second vulnerability, rated more severe with a CVSS score of 7.5, permits unauthenticated attackers to execute time-based SQL injection attacks using the “product_order” parameter. This flaw stems from insufficient sanitization of database queries, allowing malicious SQL commands to be injected.
Attackers can exploit this to extract sensitive data, like user credentials, from the database, especially if WooCommerce was previously installed and later disabled. The Avada development team has released updates to address these vulnerabilities, culminating in version 3.15.3 on May 12, 2026. Site owners should immediately update to this version or later.
Steps to Mitigate Risks
To safeguard against these vulnerabilities, it is vital for Avada Builder users to update to the latest version. Additionally, reviewing user roles to eliminate unnecessary subscriber accounts and monitoring logs for unusual database queries or file access can enhance security.
Employing a web application firewall, such as Wordfence, offers an extra layer of protection against potential exploits.
Conclusion
This incident underscores the importance of regularly auditing even widely trusted plugins, as they can introduce significant security risks. With a vast number of installations, the Avada Builder plugin presents an attractive target for hackers. Site owners must remain vigilant and ensure timely patching to protect their WordPress websites from exploitation.
