Critical Vulnerabilities in Avada Builder Plugin Expose WordPress Sites to Credential Theft

Severity: High (Score: 72.0)

Sources: Scworld, Bleepingcomputer

Summary

Two vulnerabilities in the Avada Builder plugin for WordPress, affecting approximately one million installations, allow unauthorized access to sensitive data. The first vulnerability enables hackers to read arbitrary files, including wp-config.php, which contains critical database credentials. The second, an SQL injection flaw (CVE-2026-4798), can be exploited by unauthenticated attackers to extract sensitive information from the database, provided the WooCommerce plugin was previously used. These issues were reported by researcher Rafie Muhammad, who received a total bounty of $4,453. A partial fix was released on April 13, 2026, and a complete patch on May 12, 2026. Website administrators are urged to update to version 3.15.3 immediately to mitigate these risks. Key Points: • Two critical vulnerabilities in the Avada Builder plugin could lead to credential theft. • CVE-2026-4798 allows SQL injection attacks without authentication under specific conditions. • Affected users are advised to update to version 3.15.3 to protect against these vulnerabilities.

Key Entities

• Data Breach (attack_type)
• Sql Injection (attack_type)
• Avada (company)
• Wordfence (company)
• CVE-2026-4798 (cve)
• CWE-200 - Exposure of Sensitive Information (cwe)
• Cwe-89 - SQL Injection (cwe)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• Avada Builder (platform)
• WooCommerce (platform)
• WordPress (platform)