1,000,000 WordPress Sites Affected by Arbitrary File Read and SQL Injection Vulnerabilities in Avada Builder Plugin
Two vulnerabilities in the Avada Builder WordPress plugin, affecting up to 1,000,000 sites, allow authenticated arbitrary file read and unauthenticated SQL injection, with patches now available.
Two critical security vulnerabilities have been disclosed in the Avada Builder WordPress plugin, a popular page builder with an estimated 1,000,000 active installations. The flaws, discovered and responsibly reported by researcher Rafie Muhammad through the Wordfence Bug Bounty Program, include an authenticated arbitrary file read vulnerability and an unauthenticated SQL injection vulnerability. Wordfence released firewall rules to protect against exploitation, and the plugin developer has issued patches.
The first vulnerability, tracked as CVE-2026-4782, is an authenticated arbitrary file read flaw with a CVSS score of 6.5 (Medium). It affects all versions of Avada Builder up to and including 3.15.2. The issue resides in the `fusion_get_svg_from_file` function, which is invoked by the `fusion_section_separator` shortcode via the `custom_svg` parameter. An authenticated attacker with Subscriber-level access or above can exploit this to read arbitrary files on the server, including sensitive configuration files or database credentials. The function lacks proper file type and source validation, allowing inclusion of non-SVG files such as PHP files.
The second vulnerability, CVE-2026-4798, is an unauthenticated time-based SQL injection with a CVSS score of 7.5 (High). It affects versions up to and including 3.15.1. The flaw exists in the `product_order` parameter due to insufficient escaping and lack of prepared statements. An unauthenticated attacker can append malicious SQL queries to existing queries, potentially extracting sensitive data such as password hashes from the database. Notably, this vulnerability is exploitable only if WooCommerce was previously used and then deactivated on the site.
Wordfence responded swiftly, providing firewall protection to its premium users on March 25, 2026 for the arbitrary file read vulnerability, and free users received the same protection on April 24, 2026. The SQL injection vulnerability is mitigated by Wordfence's built-in SQL injection protection for all users. The developer released the first patch (version 3.15.2) on April 13, 2026, which partially addressed the arbitrary file read and fully patched the SQL injection. The second patch (version 3.15.3) was released on May 12, 2026, fully resolving the arbitrary file read issue.
Users are strongly urged to update their Avada Builder plugin to version 3.15.3 or later immediately. Given the widespread use of the plugin and the potential for data exfiltration, these vulnerabilities pose a significant risk to WordPress site security. The disclosure highlights the importance of prompt patching and the value of coordinated vulnerability disclosure programs in protecting the WordPress ecosystem.