Two vulnerabilities in the Avada Builder WordPress plugin, which has an estimated one million active installations, could let attackers read arbitrary files or extract sensitive database information. The issues affect versions through 3.15.2 and 3.15.1, and the fully patched release is 3.15.3.
KEY FACTS
- File read flaw CVE-2026-4782 lets authenticated users with subscriber-level access read files on the server.
- SQL injection CVE-2026-4798 can be used without authentication if WooCommerce was enabled and later deactivated.
- Impact The flaws could expose wp-config.php, password hashes and database credentials.
- Fix Version 3.15.3 was released on May 12 after a partial fix in 3.15.2.
A technical analysis by Wordfence says the arbitrary file read stems from the plugin’s shortcode-rendering feature and the custom_svg parameter. The report says the code did not properly validate file types or sources, which could allow access to sensitive files such as wp-config.php.
Access to that file can expose database credentials and cryptographic keys. The disclosure said that could lead to administrator account compromise and full site takeover. The file-read issue was rated medium severity because it requires subscriber-level access, but many WordPress sites allow user registration.
The time-based blind SQL injection flaw affected versions through 3.15.1 and involved user-controlled input from the product_order parameter being inserted into an SQL ORDER BY clause without proper query preparation. The issue could expose sensitive database data, including password hashes, if WooCommerce had been used and then deactivated and its tables remained intact.
The two flaws were reported to the plugin publisher in March, with a partial fix in April and the full patch in May. Website owners and administrators using Avada Builder were advised to update to version 3.15.3 as soon as possible.
WHY IT MATTERS
The vulnerabilities affect a widely used WordPress plugin and could expose credentials or database records that help attackers move from a limited account to full site compromise. Sites that still run older versions, or that meet the WooCommerce condition for the SQL injection flaw, face the greatest risk until patched.