Avada Builder WordPress Plugin Flaws Expose Site Credentials

Executive Summary

Two vulnerabilities in the Avada Builder plugin for WordPress, installed on an estimated one million sites, allow attackers to read arbitrary server files and extract sensitive database content. The first flaw, CVE-2026-4782, is an arbitrary file read accessible to any authenticated user with subscriber-level privileges. The second, CVE-2026-4798, is an unauthenticated time-based blind SQL injection that can leak password hashes and other credentials, but only works on sites where WooCommerce was previously enabled and then deactivated. Researcher Rafie Muhammad reported both issues through the Wordfence Bug Bounty Program, earning $3,386 and $1,067 respectively. A fully patched version, 3.15.3, was released on May 12, 2026.

Technical Analysis

Avada Builder is a drag-and-drop page builder plugin for the Avada WordPress theme, enabling site owners to create layouts and design elements without coding. Its broad adoption makes it an attractive target.

CVE-2026-4782 — Arbitrary File Read

This flaw resides in the plugin's shortcode-rendering functionality, specifically via the custom_svg parameter. Wordfence researchers determined that the plugin fails to validate file types or sources when processing shortcode input, according to a technical analysis shared with BleepingComputer. An authenticated user with subscriber-level access can exploit this to read the contents of any file on the server, including wp-config.php.

Access to wp-config.php is particularly damaging because the file contains database credentials, authentication keys, and salts. An attacker who obtains these secrets can connect directly to the site's database, forge session cookies, or escalate privileges to compromise an administrator account, leading to full site takeover. Wordfence assigned this flaw a medium-severity rating because it requires authentication, but the barrier is low: many WordPress sites allow user registration by default, and subscriber accounts are trivial to create or compromise.

CVE-2026-4798 — Unauthenticated SQL Injection

The second vulnerability is a time-based blind SQL injection in the product_order parameter. The plugin inserts user-controlled input directly into an SQL ORDER BY clause without parameterized queries or proper sanitization. This allows an unauthenticated attacker to extract data from the database one character at a time by observing response timing differences.

The exploitation prerequisite is that WooCommerce must have been installed and enabled on the site at some point, then deactivated, leaving its database tables intact. This condition is common on e-commerce sites that have switched platforms or retired their storefronts. An attacker can leverage the injection to retrieve password hashes for all user accounts, which can then be cracked offline to gain authenticated access.

Disclosure Timeline

Rafie Muhammad submitted both vulnerabilities to Wordfence on March 21, 2026. Wordfence reported them to the Avada Builder publisher on March 24. A partial fix, version 3.15.2, was released on April 13, addressing the file read but not the SQL injection. The fully patched version 3.15.3, which resolves both issues, was released on May 12.

Mitigations & Recommendations

Site administrators should update Avada Builder to version 3.15.3 immediately. For sites where updating is not immediately possible, the following mitigations can reduce risk:

• Disable user registration on WordPress sites that do not require it, removing the subscriber-level access needed to exploit CVE-2026-4782.
• Remove or clean up WooCommerce database tables if the plugin is no longer in use, eliminating the prerequisite for CVE-2026-4798 exploitation.
• Monitor server access logs for anomalous requests to wp-config.php or unusual SQL query patterns targeting the product_order parameter.
• Implement Web Application Firewall (WAF) rules to block requests containing suspicious shortcode or SQL injection payloads targeting Avada Builder endpoints.