Major Vulnerabilities Discovered in Avada Builder Plugin for WordPress
Recently, two critical vulnerabilities were uncovered in the Avada Builder plugin for WordPress, endangering nearly one million websites. These weaknesses pose risks of arbitrary file read and SQL injection attacks, which could lead to severe consequences for website owners and users alike.
Prominent cybersecurity service provider Wordfence revealed this information in a detailed analysis published on May 12. The report credits independent security researcher Rafie Muhammad for identifying the vulnerabilities and submitting them through the Wordfence Bug Bounty Program on March 21.
SVG Shortcode and Post Cards Vulnerabilities
The first vulnerability, identified as CVE-2026-4782, is an arbitrary file read flaw rated 6.5 on the Common Vulnerability Scoring System (CVSS). This vulnerability exists within the plugin’s fusion_get_svg_from_file function, primarily accessed via the fusion_section_separator shortcode when a custom SVG parameter is utilized.
Due to the lack of file type and source validation in this function, authenticated users who have subscriber-level access can exploit it to read sensitive files on the server. Among the most critical files accessible is wp-config.php, which contains key information such as the WordPress database credentials, cryptographic keys, and salts essential for maintaining site security.
In light of previous incidents, such as vulnerabilities found in the Slider Revolution plugin that exposed four million WordPress sites, this discovery underscores the potential risks associated with third-party plugins.
The second vulnerability, known as CVE-2026-4798, presents an even greater risk in the form of an unauthenticated time-based SQL injection affecting the product_order parameter. Rated 7.5 (High) on the CVSS scale, this flaw remains more alarming for its capacity for exploitation.
While the plugin does employ sanitize_text_field() on the input to mitigate potential issues, this function does not adequately safeguard against SQL injection. Further compounding the problem, the surrounding ORDER BY clause is concatenated directly into the SQL query without the necessary prepare() function for escaping, a fundamental protection that WordPress offers for secure database queries.
Interestingly, this vulnerability is exploitable solely on sites where WooCommerce had been installed and subsequently deactivated, which will undoubtedly be a concern for many users.
Response and Mitigation Timeline
In response to these vulnerabilities, Wordfence provided full disclosure to the Avada development team on March 24 and March 25. Following this, the Avada team commenced work on a fix immediately. The developers rolled out an initial patch in version 3.15.2 on April 13, quickly followed by a more comprehensive fix in version 3.15.3 on May 12.
Given the immediate threat posed by these vulnerabilities, Wordfence has strongly advised site owners to update their plugins without delay to safeguard their websites. However, beyond simply updating, administrators are encouraged to take additional defensive actions to protect their sites further.
Some recommended measures include:
- Auditing all subscriber accounts: Site owners are advised to scrutinize accounts that were created around the time the vulnerabilities were disclosed.
- Resetting sensitive credentials: If there’s a suspicion that any server files have been compromised, it is prudent to rotate credentials stored in the
wp-config.phpfile. - Monitoring unusual traffic: Site administrators should keep an eye on the
admin-ajax.phpfile for any unusual access patterns, particularly those referencing the affected shortcode, as these could indicate an ongoing attack attempt.
This latest disclosure from Wordfence adds another entry to the catalog of vulnerabilities associated with the Avada Builder plugin, raising ongoing concerns about the security of widely utilized WordPress plugins. With the popularity of WordPress continuing to grow, the potential risks associated with vulnerabilities in plugins can lead to not just individual site compromises, but broader threats across the entire WordPress ecosystem.
In this evolving landscape of cybersecurity threats, vigilance and timely action remain paramount for website owners reliant on third-party plugins to manage their online presence effectively.