Avada Builder Flaws Enable WordPress Credential Theft

Avada Builder Vulnerabilities Put 1 Million Sites at Risk

Two security flaws in the Avada Builder WordPress plugin have put an estimated one million active installations at risk of credential theft and full site takeover. The vulnerabilities, tracked as CVE-2026-4782 and CVE-2026-4798, allow attackers to read arbitrary files from the server and extract sensitive data directly from the database. Security researcher Rafie Muhammad discovered both issues and reported them through the Wordfence Bug Bounty Program, earning $3,386 and $1,067 respectively.

Avada Builder is a drag-and-drop page builder tied to the Avada WordPress theme. It is one of the most widely used commercial plugins in the WordPress ecosystem, which makes both flaws high-priority patches regardless of their individual severity ratings.

How CVE-2026-4782 Exposes wp-config.php

The first flaw lives in the plugin's shortcode-rendering functionality. Specifically, the custom_svg parameter accepts user-controlled input without validating the file type or source. Any authenticated user with at minimum subscriber-level access can craft a request that reads arbitrary files from the server, including wp-config.php.

That file is the crown jewel of a WordPress installation. It holds database credentials, authentication keys, and salts. Reading it gives an attacker everything needed to access the database directly or forge authentication cookies and escalate to administrator access. The plugin's maintainers rated this medium severity because it requires authentication, but that bar is low. Sites with open user registration hand this access to anyone who signs up.

The flaw affects all versions of Avada Builder through 3.15.2.

CVE-2026-4798: Unauthenticated SQL Injection via WooCommerce Tables

The second vulnerability is an unauthenticated time-based blind SQL injection. It exists because the product_order parameter was inserted directly into a SQL ORDER BY clause without proper query preparation or sanitization. Attackers can manipulate this parameter to extract data from the database incrementally, including password hashes for all registered users.

There is a specific precondition. The site must have previously had WooCommerce installed and then deactivated, with its database tables still present. That sounds narrow, but it describes a meaningful slice of real-world WordPress deployments. Developers frequently deactivate plugins during testing or migrations without dropping the associated tables.

This flaw affects Avada Builder versions through 3.15.1. No authentication is required to trigger it.

What Developers and Site Owners Should Do Now

Patch immediately. The fully fixed version is Avada Builder 3.15.3, released May 12, 2026. A partial fix (3.15.3.15.2) shipped April 13 but did not fully address both issues. Running anything older than 3.15.3 leaves you exposed.

Beyond patching, a few additional steps are worth taking:

• Audit wp-config.php permissions. Restrict read access at the filesystem level where possible.
• Rotate database credentials and WordPress secret keys if your site ran a vulnerable version with open user registration.
• Drop unused WooCommerce tables if you have permanently deactivated the plugin. There is no reason to leave that attack surface intact.
• Run a vulnerability scan against your WordPress installation to check for other exposed parameters or misconfigured plugins. You can scan your site now at /scan to identify issues before attackers do.

For broader context on WordPress plugin security patterns, see our guide to WordPress plugin vulnerabilities.

FAQ

Do I need to have WooCommerce active right now for CVE-2026-4798 to affect me? No. The vulnerability triggers if WooCommerce was ever installed and deactivated, as long as its database tables remain. Even a historical installation counts.

Is subscriber-level access genuinely hard to obtain for CVE-2026-4782? On sites with open registration it is not. Any visitor can create an account. Even on closed-registration sites, compromised low-privilege accounts from unrelated breaches can be reused.

Will updating to 3.15.3 retroactively protect credentials already exposed? No. Patching stops future exploitation but does not undo past access. If your site ran a vulnerable version, rotate database credentials, WordPress keys, and any secrets stored in wp-config.php as a precaution.

Your Avada Builder installation may not be your only exposure. Run a free scan at VibeWShield to find file read and injection vulnerabilities across your entire WordPress stack before attackers do.