Two vulnerabilities in Avada Builder for WordPress—tracked as CVE-2026-4782 and CVE-2026-4798—could let attackers read arbitrary server files or extract database data, putting site credentials at risk. Wordfence says the fix is in Avada Builder 3.15.3, after p
When attackers can grab a WordPress site’s secrets. the damage is fast: credentials. password hashes. and keys can turn a running website into a takeover.. That’s the concern around two newly disclosed flaws in the Avada Builder plugin. a widely used drag-and-drop tool that helps shape WordPress pages—installed on an estimated one million sites.
Wordfence reports that one issue. CVE-2026-4782. allows an authenticated user with subscriber-level access to read the contents of arbitrary files on the server.. The other. CVE-2026-4798. is a time-based blind SQL injection that can be used without authentication. but only under a specific condition tied to WooCommerce.
The plugin. which integrates with the Avada WordPress theme. lets users build and customize layouts. sections. and design elements without writing code.. In security terms. though. that convenience becomes a route for misuse: Wordfence explains the arbitrary file read stems from the plugin’s shortcode-rendering functionality and a custom_svg parameter that fails to properly validate file types or sources.
That weakness can be abused to access sensitive files such as wp-config.php. a file that typically contains database credentials and cryptographic keys.. With those secrets in hand, Wordfence says attackers can compromise an administrator account and move toward full site takeover.. Even though the flaw was rated medium severity—because it requires subscriber-level access—Wordfence notes the access level is not a meaningful barrier on many WordPress sites. where user registration is often open.
The second vulnerability, tracked as CVE-2026-4798, works differently and carries its own gatekeeping conditions.. Wordfence says it affects Avada Builder versions through 3.15.1.. The problem is that user-controlled input from the product_order parameter is inserted into an SQL ORDER BY clause without proper query preparation.
Because of that. Wordfence says unauthenticated attackers can exploit the flaw to extract sensitive information from the site database. including password hashes.. But there’s a prerequisite: exploitation requires that the WooCommerce e-commerce plugin was enabled at some point and then deactivated. and the relevant database tables must still be present.
The findings were discovered by security researcher Rafie Muhammad, who submitted them through the Wordfence Bug Bounty Program. Wordfence says Muhammad received $3,386 for the file read issue and $1,067 for the SQL injection report.
The timeline shows how quickly fixes had to catch up.. The vulnerabilities were submitted to Wordfence on March 21 and reported to the Avada Builder publisher on March 24.. A partial fix landed in version 3.15.2 on April 13, and Wordfence says the fully patched release—version 3.15.3—arrived on May 12.
For site owners and admins, the takeaway is straightforward: update to Avada Builder 3.15.3 as soon as possible.. With wp-config.php reachable in one scenario and database contents targeted in another. Wordfence’s warning is about limiting the window in which attackers can turn plugin access into stolen credentials.
Avada Builder WordPress vulnerabilities CVE-2026-4782 CVE-2026-4798 arbitrary file read SQL injection Wordfence Bug Bounty wp-config.php WooCommerce