Skip to main content
Emerging Threats

Avada Builder Flaws Put 1 Million WordPress Sites at Risk

A modern web development environment with a laptop workstation and out-of-focus screen, symbolizing a vulnerable WordPress…

Around one million WordPress sites were placed at risk by two newly disclosed Avada Builder plugin flaws, according to analysis published by Wordfence on May 12.

CVE-2026-4782: SVG shortcode allows arbitrary file read

Wordfence's report identifies CVE-2026-4782 as an arbitrary file read vulnerability rated 6.5 on the Common Vulnerability Scoring System (CVSS). The problem resides in the plugin function fusion_get_svg_from_file, which is invoked when the fusion_section_separator shortcode receives a custom_svg parameter. Because the function performs no file type or source validation, authenticated users with subscriber-level access can exploit it to read sensitive server files.

Wordfence specifically called out wp-config.php as an example of an exposed file; that file contains WordPress's database credentials, cryptographic keys and salts. The advisory therefore frames the flaw as a path from a low-privilege account to potentially wide-ranging credential disclosure on affected servers.

CVE-2026-4798: unauthenticated time-based SQL injection in product_order

The second flaw, CVE-2026-4798, is described as an unauthenticated time-based SQL injection in the product_order parameter and carries a CVSS rating of 7.5 (High). Although the plugin applies WordPress's sanitize_text_field() to the input, Wordfence notes that this function does not defend against SQL injection in this context. The surrounding ORDER BY clause is concatenated into the query without using WordPress's prepare() escaping, enabling injection.

Wordfence adds a key constraint: the SQL injection is exploitable only on sites where WooCommerce was previously installed and then deactivated. That dependency narrows the population of vulnerable installations but does not remove the risk for sites that meet the condition.

Timeline: reporting, fixes and guidance from Wordfence

The vulnerabilities were reported by independent researcher Rafie Muhammad via the Wordfence Bug Bounty Program on March 21, according to Wordfence. Full disclosure of the technical details was shared with the Avada team on March 24 and 25, and the developer began work on a fix the same day.

The vendor shipped an initial patch in Avada Builder version 3.15.2 on April 13 and delivered the complete fix in version 3.15.3 on May 12. Wordfence urged site owners to apply the update without delay.

What this means for site administrators, security teams, and e-commerce operators

  • Site administrators: Wordfence recommends applying Avada Builder 3.15.3 immediately. Administrators should audit subscriber accounts created around the disclosure window for suspicious additions or privilege escalations.
  • Security teams: If there is any suspicion of compromise, teams should rotate credentials stored in wp-config.php, since the arbitrary file read vulnerability can expose database credentials, cryptographic keys and salts.
  • E-commerce operators and WooCommerce users: Teams operating sites where WooCommerce was previously installed and then deactivated should treat the SQL injection vector as a primary concern, and check for exploitation traces in logs and traffic.

Signs of exploitation and immediate checks

Wordfence suggests several concrete checks administrators may run immediately: audit recently created subscriber accounts; rotate credentials in wp-config.php if compromise is suspected; and check for unusual admin-ajax.php traffic that references the affected fusion_section_separator shortcode. These items map directly to the two flaws: arbitrary reads via the shortcode and the SQL injection behavior tied to product_order.

The disclosure also joins what Wordfence characterizes as its running record of Avada Builder vulnerabilities. For affected site owners, the practical calculus is straightforward: update to Avada Builder 3.15.3 and verify whether subscriber accounts or unusual admin-ajax.php activity coincide with the period between disclosure and patching; where WooCommerce was once installed, assume heightened risk for SQL injection attempts.

Wordfence's advisory and the Avada patches close the technical window described in the report, but the facts the report highlights remain simple and specific: a function that accepts unvalidated SVG input can read sensitive files, and a concatenated ORDER BY clause can be abused for SQL injection where residual WooCommerce artifacts exist. Those precise code-level failures are the root cause; the measures recommended by Wordfence—patching, account audits, credential rotation and traffic inspection—are the immediate, actionable steps site owners can and should take.

Source: https://www.infosecurity-magazine.com/news/avada-builder-flaws-one-million/