One Million WordPress Sites at Risk: Avada Builder's File Read and SQL Injection Flaws Allow Password Hash Theft and Server File Exposure — Update to 3.15.3 Now
Two serious security vulnerabilities discovered in the Avada Builder WordPress plugin — one of the most widely installed page builder tools in the WordPress ecosystem with over one million active installations — have exposed an enormous number of websites to arbitrary file reading and unauthenticated SQL injection attacks. The flaws, discovered by security researcher Rafie Muhammad through the Wordfence Bug Bounty Program and now tracked as CVE-2026-4782 and CVE-2026-4798, were disclosed to the Avada development team in late March 2026. Full patches were delivered in two stages, with the final comprehensive fix arriving in version 3.15.3 on May 12, 2026. All Avada Builder users are strongly advised to update to version 3.15.3 immediately — the attack surface is enormous and the vulnerabilities are well-documented enough to be exploited at scale.
The first vulnerability, CVE-2026-4782, carries a CVSS score of 6.5 and allows any authenticated user with subscriber-level access or higher to read arbitrary files stored on the server. The flaw resides in the plugin's fusion_get_svg_from_file() function, which is invoked by the fusion_section_separator shortcode when the custom_svg parameter is provided. In the vulnerable versions of the plugin, this function performs no file type validation and no file source verification — meaning it will attempt to load and return the contents of any file path provided to it, not just SVG image files. By manipulating the custom_svg parameter, a subscriber-level user can direct the function to retrieve the contents of sensitive server files including wp-config.php — the WordPress configuration file that contains database credentials, cryptographic security keys and salts, and database connection details. Combined with the fact that authenticated users can invoke the underlying AJAX shortcode rendering function without a capability check, a low-privilege account becomes a gateway to the site's most critical configuration secrets. The flaw was partially patched in version 3.15.2 and fully resolved in version 3.15.3.
The second and more severe vulnerability, CVE-2026-4798, carries a CVSS score of 7.5 and requires no authentication at all to exploit. The flaw exists in the plugin's post_query() function within the FusionSC_PostCards class, which handles queries for WordPress post card items. The product_order GET parameter — used to specify the sort order of results — is passed through the sanitize_text_field() function before being inserted directly into an SQL query's ORDER BY clause without using WordPress's wpdb prepare() method. While sanitize_text_field() strips certain characters, it does not provide protection against SQL injection attacks. Because the query structure prevents union-based SQL injection, attackers must use a time-based blind approach — injecting SQL CASE statements combined with SLEEP() commands and observing response timing to systematically extract data from the database one conditional at a time. This technique is intricate but well-established and frequently successful. Through this method, an unauthenticated attacker can extract sensitive database contents including user credentials and hashed passwords. A critical constraint applies: the vulnerability can only be exploited on sites where WooCommerce was previously installed and has since been deactivated, because the vulnerable code path depends on WooCommerce database tables being present. Despite this condition, the population of affected sites remains large and the impact of successful exploitation is severe.
Wordfence received submissions for both vulnerabilities on March 21, 2026 and validated both proof-of-concept exploits by March 25. Full disclosure details were provided to the Avada development team immediately through the Wordfence Vulnerability Management Portal. Wordfence Premium, Care, and Response users received a firewall rule protecting against the arbitrary file read flaw on March 25, 2026 — 30 days ahead of free users who received the same protection on April 24. The Avada team released a partial patch in version 3.15.2 on April 13, with the complete and final fix delivered in version 3.15.3 on May 12, 2026. Researcher Rafie Muhammad received a total of approximately $4,500 in bug bounty payments for the two discoveries — $3,386 for the file read flaw and $1,067 for the SQL injection.
Update Avada Builder to version 3.15.3 or later immediately using the WordPress plugin dashboard. Review and audit all user accounts on your site, removing unnecessary subscriber accounts that could be leveraged for the file read vulnerability. Monitor server and database logs for unusual file access patterns or anomalous slow SQL queries that might indicate time-based injection activity. Implement or verify a web application firewall such as Wordfence to provide an additional protective layer against exploit attempts targeting known vulnerabilities. Sites running WooCommerce in a deactivated state should treat the SQL injection risk as particularly urgent and prioritise patching above all other maintenance tasks. With over one million active Avada Builder installations globally, threat actors are highly likely to begin automated scanning and exploitation of unpatched sites — the combination of a well-documented arbitrary file read and an unauthenticated SQL injection represents an exceptionally attractive target profile for mass exploitation campaigns.