1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws

A widely used WordPress plugin powering over one million websites has been hit by two serious vulnerabilities that could allow attackers to steal sensitive data and access server files.

Security researchers warn that the flaws in the Avada Builder plugin could be actively exploited if sites remain unpatched.

The issues, discovered by researcher Rafie Muhammad through the Wordfence Bug Bounty Program, include an arbitrary file read vulnerability (CVE-2026-4782) and a SQL injection flaw (CVE-2026-4798).

These vulnerabilities affect Avada Builder versions up to 3.15.2 and 3.15.1, respectively.

Avada Builder Flaws

Arbitrary File Read Vulnerability

The first flaw (CVE-2026-4782) allows authenticated users with minimal privileges, such as subscribers, to read sensitive files on the server.

This vulnerability exists in the plugin’s handling of the “custom_svg” parameter within a shortcode.

Due to missing validation checks, attackers can manipulate the function responsible for loading files and retrieve contents from arbitrary locations.

This includes critical files like wp-config.php, which contains database credentials and security keys.

In simple terms, a low-level user could trick the plugin into exposing confidential server data without needing admin access.

The issue received a CVSS score of 6.5, indicating medium severity but high practical risk.

SQL Injection Enables Data Theft

The second vulnerability (CVE-2026-4798) is more severe, with a CVSS score of 7.5. It allows unauthenticated attackers to perform time-based SQL injection attacks through the “product_order” parameter.

Because the plugin fails to sanitize database queries properly, attackers can inject malicious SQL commands.

This can be used to extract sensitive data such as user credentials and password hashes from the database.

Although exploitation requires a specific condition, WooCommerce must have been previously installed and later disabled; the attack remains highly impactful.

Threat actors can use timing-based techniques, such as SQL SLEEP functions, to slowly extract information without producing direct output.

The Avada development team released patches in two stages. Version 3.15.2 partially addressed the issues, while the final fix was delivered in version 3.15.3 on May 12, 2026.

Website owners using Avada Builder are strongly advised to update to version 3.15.3 or later immediately.

• Update the plugin to the latest version.
• Review user roles and remove unnecessary subscriber accounts.
• Monitor logs for unusual database queries or file access.
• Use a web application firewall, such as Wordfence, for added protection.

This incident highlights how even widely trusted plugins can introduce serious security risks if not regularly audited.

With over a million active installations, the attack surface is massive, making such vulnerabilities attractive targets for threat actors.

As attackers continue to automate the exploitation of known flaws, timely patching remains the most effective defense for WordPress site owners.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post 1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws appeared first on Cyber Security News.