Critical Vulnerabilities in Avada Builder Plugin Expose WordPress Sites to Credential Theft

Critical Vulnerabilities in Avada Builder Plugin Expose WordPress Sites to Credential Theft

First seen 15 May 2026, 16:27 UTC ScworldBleepingcomputerCybersecuritynews 80% similarity 72.0

Article Content

Browse articles
ThreatCluster

Two vulnerabilities in the Avada Builder plugin for WordPress, affecting approximately one million installations, allow unauthorized access to sensitive data. The first vulnerability enables hackers to read arbitrary files, including wp-config.php, which contains critical database credentials. The second, an SQL injection flaw (CVE-2026-4798), can be exploited by unauthenticated attackers to extract sensitive information from the database, provided the WooCommerce plugin was previously used. These issues were reported by researcher Rafie Muhammad, who received a total bounty of $4,453. A partial fix was released on April 13, 2026, and a complete patch on May 12, 2026. Website administrators are urged to update to version 3.15.3 immediately to mitigate these risks.

Key Points: • Two critical vulnerabilities in the Avada Builder plugin could lead to credential theft. • CVE-2026-4798 allows SQL injection attacks without authentication under specific conditions. • Affected users are advised to update to version 3.15.3 to protect against these vulnerabilities.

ThreatCluster AI

Timeline

2026-03-21
Vulnerabilities reported to Wordfence
Rafie Muhammad reported two security flaws in Avada Builder to Wordfence Bug Bounty Program.
Bleepingcomputer
2026-03-24
Flaws reported to Avada Builder publisher
The vulnerabilities were disclosed to the publisher of the Avada Builder plugin.
Bleepingcomputer
2026-04-13
Partial fix released
Avada Builder version 3.15.2 was released to address the vulnerabilities partially.
Bleepingcomputer
2026-05-12
Complete patch released
The fully patched version 3.15.3 of Avada Builder was made available to users.
Bleepingcomputer
2026-05-13
CVE-2026-4798 published
CVE-2026-4798 was officially published, detailing the SQL injection vulnerability.
Bleepingcomputer

Community

Browse all →