Two vulnerabilities within the Avada Builder plugin for WordPress, with an estimated 1,000,000 energetic installations, permit hackers to learn arbitrary recordsdata and extract delicate data from the database.
Some of the flaws is tracked as CVE-2026-4782 and may also be exploited in all variations of the plugin thru 3.15.2 by means of an authenticated customers with no less than subscriber-level get entry to to learn the contents of any record at the server.
The opposite safety factor gained the identifier CVE-2026-4798 and is an SQL injection that may be leveraged with out authentication. On the other hand, exploitation is conceivable provided that the WooCommerce e-commerce plugin for WordPress has been enabled after which deactivated.
Avada Builder is a drag-and-drop webpage builder plugin for the Avada WordPress theme that permits you to create and customise site layouts, content material sections, and design components with out writing code.
The 2 problems had been found out by means of safety researcher Rafie Muhammad, who reported them during the Wordfence Computer virus Bounty Program and gained $3,386 and $1,067, respectively, for the findings.
Wordfence explains that the arbitrary record learn is conceivable by means of the plugin’s shortcode-rendering capability and the custom_svg parameter. The problem is that the plugin does no longer correctly validate record varieties or resources, permitting get entry to to delicate recordsdata corresponding to wp-config.php, which in most cases comprises database credentials and cryptographic keys.
Get admission to to wp-config.php may end up in the compromise of an administrator account and whole web site takeover.
Even supposing the flaw gained a medium-severity ranking as it calls for subscriber-level get entry to, the requirement does no longer constitute a barrier, as many WordPress websites be offering person registration.
The time-based blind SQL injection flaw tracked as CVE-2026-4798 impacts Avada Builder variations thru 3.15.1. The problem exists as a result of user-controlled enter from the product_order parameter was once inserted into an SQL ORDER BY clause with out correct question preparation.
The flaw may also be exploited by means of unauthenticated attackers to extract delicate data from the web site database, together with password hashes. The prerequisite for exploiting it’s to have used WooCommerce after which deactivated it, and its database tables will have to be intact.
The 2 flaws had been submitted to Wordfence on March 21 and reported to the Avada Builder writer on March 24. A partial repair, model 3.15.2, was once launched on April 13, whilst the totally patched model 3.15.3 was once launched on Might 12.
Impacted site house owners/admins are prompt to replace to Avada Builder model 3.15.3 once conceivable.
Automatic pentesting equipment ship actual price, however they had been constructed to respond to one query: can an attacker transfer during the community? They weren’t constructed to check whether or not your controls block threats, your detection regulations hearth, or your cloud configs dangle.
This information covers the 6 surfaces you in fact want to validate.
Obtain Now
