Skip to content
Tech News
← Back to articles

Avada Builder WordPress plugin flaws allow site credential theft

2026-05-15 | original
read original get WordPress Security Plugin → more articles
Why This Matters

The vulnerabilities in the Avada Builder plugin pose significant security risks for WordPress sites, potentially exposing sensitive data and enabling full site takeovers. Given the plugin's widespread use, these flaws highlight the importance of timely updates and security vigilance for website owners and developers. Addressing these issues is crucial to maintaining the integrity and safety of millions of websites relying on this popular tool.

Key Takeaways

Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database.

One of the flaws is tracked as CVE-2026-4782 and can be exploited in all versions of the plugin through 3.15.2 by an authenticated users with at least subscriber-level access to read the contents of any file on the server.

The other security issue received the identifier CVE-2026-4798 and is an SQL injection that can be leveraged without authentication. However, exploitation is possible only if the WooCommerce e-commerce plugin for WordPress has been enabled and then deactivated.

Avada Builder is a drag-and-drop webpage builder plugin for the Avada WordPress theme that lets you create and customize website layouts, content sections, and design elements without writing code.

The two issues were discovered by security researcher Rafie Muhammad, who reported them through the Wordfence Bug Bounty Program and received $3,386 and $1,067, respectively, for the findings.

Wordfence explains that the arbitrary file read is possible via the plugin’s shortcode-rendering functionality and the custom_svg parameter. The issue is that the plugin does not properly validate file types or sources, allowing access to sensitive files such as wp-config.php, which typically contains database credentials and cryptographic keys.

Access to wp-config.php can lead to the compromise of an administrator account and full site takeover.

Although the flaw received a medium-severity rating because it requires subscriber-level access, the requirement does not represent a barrier, as many WordPress sites offer user registration.

The time-based blind SQL injection flaw tracked as CVE-2026-4798 affects Avada Builder versions through 3.15.1. The issue exists because user-controlled input from the product_order parameter was inserted into an SQL ORDER BY clause without proper query preparation.

The flaw can be exploited by unauthenticated attackers to extract sensitive information from the site database, including password hashes. The prerequisite for exploiting it is to have used WooCommerce and then deactivated it, and its database tables must be intact.

... continue reading

Explore topics: avada builder wordpress cve-2026-4782 cve-2026-4798 woocommerce
Related:
HostGator Promo Codes: 76% Off for April 2026
Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
Australia warns of ClickFix attacks pushing Vidar Stealer malware
Hackers abuse Google ads for GoDaddy ManageWP login phishing
Best WordPress Hosting for Building a Successful Website in 2026

© 2026 GoKawiil

About | Editorial Policy | Contact