Avada Builder Flaws Expose One Million WordPress Sites

Staff Editor 2026-05-26
Avada Builder Flaws Expose One Million WordPress Sites

Avada Builder Flaws Expose One Million WordPress Sites

https://www.infosecurity-magazine.com/news/avada-builder-flaws-one-million/

Publish Date: 2026-05-24 01:55:37

Source Domain: www.infosecurity-magazine.com

Summary of Avada Builder WordPress Plugin Vulnerabilities

Two significant vulnerabilities, arbitrarily listed as CVE-2026-4782 and CVE-2026-4798, were identified in the Avada Builder WordPress plugin, putting approximately one million websites at risk. The flaws were reported by Rafie Muhammad, discovered through the Wordfence Bug Bounty Program, and disclosed on May 12. The first flaw, CVE-2026-4782, is an arbitrary file read issue with a CVSS rating of 6.5. This issue allows authenticated users, even with subscriber-level access, to read sensitive files such as the wp-config.php file, which contains credentials and security keys. The second, CVE-2026-4798, is a high-severity unauthenticated time-based SQL injection with a CVSS of 7.5. This flaw targets sites where WooCommerce was installed and then deactivated, allowing for manipulation through the product_order parameter. The developers began addressing the problems immediately after receiving disclosure, releasing version 3.15.2 on April 13 and the final patch in version 3.15.3 on May 12. Wordfence advised immediate updates and suggested additional defensive actions such as examining account creation around the disclosure period, rotating credentials, and monitoring for abnormal traffic to mitigate the risks.

Key Points:

  • Two vulnerabilities in the Avada Builder WordPress plugin were found, exposing around one million sites to file read and SQL injection attacks.
  • CVE-2026-4782, an arbitrary file read flaw, lets authenticated users access sensitive server files.
  • CVE-2026-4798, an unauthenticated SQL injection flaw, impacts sites with a history of WooCommerce installation.
  • Developer response was rapid, initially patching the plugin on April 13 and releasing the final fix on May 12.
  • Additional measures, such as auditing accounts and checking admin traffic, are recommended.

More Stories

Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

Staff Editor 2026-06-07
Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate

Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate

Staff Editor 2026-06-07
Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets

Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets

Staff Editor 2026-06-07

You may have missed

Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

Staff Editor 2026-06-07
How Trump Made Artificial Intelligence a Central Part of His Political Playbook

How Trump Made Artificial Intelligence a Central Part of His Political Playbook

Staff Editor 2026-06-07
Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate

Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate

Staff Editor 2026-06-07
Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets

Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets

Staff Editor 2026-06-07
AI Adoption Creates New Opportunities for Attackers

AI Adoption Creates New Opportunities for Attackers

Staff Editor 2026-06-07

Terms and Conditions - Privacy Policy