High

A critical security issue has been identified in the widely used Avada Builder WordPress plugin, which powers over one million websites worldwide. Security researchers discovered two significant vulnerabilities that could allow attackers to steal sensitive information and gain unauthorized access to server files. The flaws were reported by researcher through the Wordfence Bug Bounty Program and were assigned CVE identifiers CVE-2026-4782 and CVE-2026-4798. These vulnerabilities impact Avada Builder versions up to 3.15.2 and 3.15.1, creating a large potential attack surface for cyber threat actors.

The first vulnerability, CVE-2026-4782, is an authenticated arbitrary file read flaw with a CVSS score of medium. This issue allows low-privileged authenticated users, such as subscribers, to exploit improper validation in the plugin’s “custom_svg” shortcode parameter. By manipulating the file-loading functionality, attackers can retrieve sensitive files from arbitrary locations on the server, including the highly critical wp-config.php file, which contains database credentials, authentication salts, and secret keys. This could enable attackers to gain deeper access to the affected WordPress environment and potentially compromise the entire website infrastructure.

The second vulnerability, CVE-2026-4798, is more severe, carrying a CVSS score of 7.5. It is an unauthenticated time-based SQL injection flaw found in the plugin’s handling of the “product_order” parameter. Due to insufficient sanitization of database queries, attackers can inject malicious SQL commands and extract sensitive information such as user credentials, password hashes, and database records. Exploitation is possible under a specific condition where WooCommerce had previously been installed and later disabled. Attackers can leverage SQL timing functions, such as SLEEP(), to exfiltrate data gradually without generating visible output, making detection significantly harder.

In response to these vulnerabilities, the Avada development team issued patches in stages, with partial mitigation introduced in version 3.15.2 and the complete fix released in version 3.15.3 on May 12, 2026. Website administrators are strongly advised to immediately update to version 3.15.3 or later to mitigate the risk of exploitation. Additional recommended security measures include reviewing and removing unnecessary subscriber-level accounts, monitoring server logs for suspicious file access or unusual database activity, and deploying a web application firewall such as Wordfence. This incident highlights the importance of continuous plugin auditing and timely patch management, especially for widely deployed WordPress components that present attractive targets for automated exploitation campaigns.