An estimated one million active installations of the Avada Builder WordPress plugin are potentially exposed after researchers disclosed two distinct vulnerabilities — tracked as CVE-2026-4782 and CVE-2026-4798 — that can expose files and database contents, including credentials.
The vulnerabilities: CVE-2026-4782 and CVE-2026-4798
Two flaws in the Avada Builder plugin, a drag-and-drop webpage builder for the Avada WordPress theme, permit attackers to read arbitrary files and extract sensitive database information. CVE-2026-4782 is an arbitrary file read that affects all plugin versions through 3.15.2 and can be triggered by authenticated users with at least subscriber-level access. CVE-2026-4798 is a time-based blind SQL injection that affects Avada Builder versions through 3.15.1 and can be leveraged without authentication — but only under a specific condition involving WooCommerce.
How the arbitrary file read works (CVE-2026-4782)
Wordfence describes the arbitrary file read as rooted in the plugin’s shortcode-rendering functionality and specifically the custom_svg parameter. The plugin failed to validate file types or file sources properly, allowing crafted input to force the application to return arbitrary server files. The advisory highlights wp-config.php as an example of a file accessible via the flaw; that file typically contains database credentials and cryptographic keys. Wordfence notes that access to wp-config.php can lead to the compromise of an administrator account and a full site takeover. Although the flaw was assigned a medium-severity rating because exploitation requires subscriber-level access, the advisory points out that the requirement does not represent a practical barrier on many WordPress sites, since user registration is commonly offered.
How the SQL injection works and its unusual precondition (CVE-2026-4798)
The second issue, CVE-2026-4798, is a time-based blind SQL injection that arises when user-controlled input from the product_order parameter is interpolated into an SQL ORDER BY clause without proper query preparation. Unlike the arbitrary file read, this flaw can be exploited by unauthenticated attackers, but exploitation is conditional: the site must have had the WooCommerce e-commerce plugin enabled at some point and then deactivated, and WooCommerce’s database tables must still be present. When those conditions are met, an attacker can extract sensitive information from the site database, including password hashes, by abusing the vulnerable ORDER BY usage.
Disclosure timeline, patches, and rewards
Security researcher Rafie Muhammad reported the two issues to the Wordfence Bug Bounty Program, submitting the findings on March 21 and notifying the Avada Builder publisher on March 24. Wordfence records show Muhammad received $3,386 for the arbitrary file read and $1,067 for the SQL injection. A partial fix was published in Avada Builder version 3.15.2 on April 13; a fully patched release, version 3.15.3, was issued on May 12. Impacted website owners and administrators are advised to update to Avada Builder version 3.15.3 as soon as possible.
What this means for website owners, technologists, and threat actors
- Website owners and administrators: The advisory explicitly recommends updating to Avada Builder 3.15.3 immediately. Owners of sites that allowed user registration should treat subscriber-level accounts as a potential vector for the arbitrary file-read exploit.
- Technologists and security teams: The two flaws illustrate two different classes of vulnerability — insecure file-handling in shortcode parameters and unsafe SQL construction in ORDER BY clauses — and the importance of validating plugin behavior after other plugins (notably WooCommerce) are removed or deactivated.
- Adversaries and threat actors: The arbitrary file read can lead directly to administrative compromise via wp-config.php contents, and the SQL injection can disclose password hashes when WooCommerce tables remain. The combination of a high-install-count plugin and these exploitation paths increases the potential pool of targets.
The factual record in the advisory is straightforward: two software flaws, a large install base, a researcher-reported disclosure with monetary rewards, and a fully patched release. For site operators running Avada Builder, the clear next step recorded in the advisory is to upgrade to 3.15.3 without delay. For defenders, the episode underscores the persistent risk posed by plugin interactions and by features that accept user-supplied content — and that even medium-rated bugs can be practically exploitable where account registration is commonly permitted.




