Critical Flaws in Avada Builder Plugin Expose One Million WordPress Sites to Takeover
A pair of vulnerabilities in the widely used Avada Builder WordPress plugin allows for arbitrary file reading and unauthenticated SQL injection, potentially leading to full site compromise.

Two critical vulnerabilities have been identified in the Avada Builder WordPress plugin, a popular drag-and-drop page builder with an estimated one million active installations. These flaws, discovered by security researcher Rafie Muhammad through the Wordfence Bug Bounty Program, could allow attackers to read arbitrary files from a server or perform SQL injection attacks to extract sensitive database information BleepingComputer.
The first vulnerability, tracked as CVE-2026-4782, is an arbitrary file read flaw affecting all versions of the plugin up to and including 3.15.2. The issue stems from the plugin's shortcode-rendering functionality, specifically within the custom_svg parameter, which fails to properly validate file types or sources BleepingComputer. By exploiting this, an authenticated user with at least subscriber-level access can read sensitive files, including wp-config.php. Because wp-config.php typically contains database credentials and cryptographic keys, this access can facilitate a full site takeover BleepingComputer.
The second vulnerability, CVE-2026-4798, is a time-based blind SQL injection flaw present in versions through 3.15.1. This issue occurs because the product_order parameter is inserted into an SQL ORDER BY clause without proper query preparation BleepingComputer. Unlike the first flaw, this can be exploited by unauthenticated attackers. However, exploitation is conditional: it requires the WooCommerce plugin to have been enabled and then subsequently deactivated, leaving the necessary database tables intact BleepingComputer.
The security implications of these vulnerabilities are significant, particularly given the widespread use of the Avada Builder plugin. While CVE-2026-4782 is rated as medium-severity due to the requirement for subscriber-level access, Wordfence notes that this is rarely a significant barrier, as many WordPress sites allow public user registration BleepingComputer. The ability to extract password hashes via the SQL injection flaw further increases the risk of unauthorized access and data exfiltration.
The vulnerabilities were reported to the plugin developer on March 24, 2026, following their initial submission to Wordfence on March 21. A partial fix was released in version 3.15.2 on April 13, followed by a complete resolution in version 3.15.3, which was made available on May 12 BleepingComputer. Website administrators are strongly urged to update their installations to version 3.15.3 immediately to mitigate these risks.
These findings highlight the ongoing security challenges associated with complex WordPress plugins that integrate with other ecosystems like WooCommerce. As attackers continue to target common plugins to gain a foothold in web environments, the importance of prompt patch management and strict input validation remains a critical component of site security. Administrators should monitor their plugin environments for similar dependencies and ensure that all components are kept up to date BleepingComputer.
Wordfence, which runs the bug bounty program that received the disclosures, noted that the arbitrary read flaw (CVE-2026-4782) could let subscriber-level users retrieve wp-config.php, exposing database credentials and cryptographic keys, while the unauthenticated SQL injection (CVE-2026-4798) only works on sites where WooCommerce was once installed but later removed. The Avada Builder deactivated. The Avada team shipped a partial fix in Avada Builder 3.15.2 on April 13 and a complete patch in 3.15.3 on May 12. Wordfence urged administrators to update immediately and audit subscriber accounts created in the disclosure window.