HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Two Avada Builder WordPress Plugin Vulnerabilities Expose Up to 1 Million Sites to Credential Theft and Database Extraction

Security researcher Rafie Muhammad disclosed CVE‑2026‑4782 and CVE‑2026‑4798 in the Avada Builder plugin, allowing authenticated file reads and unauthenticated SQL injection. With roughly one million active installations, the flaws put site credentials and password hashes at risk, demanding immediate patching for third‑party‑managed WordPress sites.

LiveThreat™ Intelligence · 📅 May 16, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Two Avada Builder WordPress Plugin Vulnerabilities Expose Up to 1 Million Sites to Credential Theft and Database Extraction

What Happened – Two separate flaws were disclosed in the Avada Builder plugin (≈1 M active installations). CVE‑2026‑4782 allows any authenticated user with subscriber‑level rights to read arbitrary files, including wp‑config.php. CVE‑2026‑4798 is an unauthenticated blind SQL injection that can be triggered after WooCommerce has been enabled then disabled, permitting extraction of password hashes and other database data.

Why It Matters for TPRM

  • Credential files (db passwords, keys) can be stolen, leading to full site takeover.
  • Unauthenticated SQL injection bypasses typical user‑access controls, exposing data even on sites that restrict registration.
  • The plugin is bundled with the popular Avada theme; many third‑party‑managed websites rely on it, expanding the attack surface across sectors.

Who Is Affected – All organizations that host WordPress sites using the Avada Builder theme/plugin, especially those that allow public user registration or run WooCommerce (even if later disabled).

Recommended Actions

  • Verify whether any of your managed sites run Avada Builder ≤ 3.15.2.
  • Immediately upgrade to version 3.15.3 (or later).
  • Review user‑role assignments; restrict subscriber‑level access where possible.
  • Conduct a file‑integrity scan for exposure of wp‑config.php or other sensitive files.
  • If WooCommerce was ever enabled, audit database tables for signs of SQL‑injection exploitation.

Technical Notes

  • Attack vectors: Authenticated arbitrary‑file‑read via the custom_svg shortcode parameter; unauthenticated blind SQL injection via the product_order parameter (requires WooCommerce activation/deactivation).
  • CVEs: CVE‑2026‑4782 (file read, authenticated); CVE‑2026‑4798 (SQL injection, unauthenticated).
  • Data at risk: Database credentials, cryptographic keys, password hashes, potentially any file readable by the web server.
  • Patch status: Partial fix in 3.15.2 (April 13 2026); full remediation in 3.15.3 (May 12 2026).

Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/avada-builder-wordpress-plugin-flaws-allow-site-credential-theft/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →