Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Avada Builder WordPress plugin arbitrary file read and SQL injection flaws (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 24
2 unique sources, 2 articles

Summary

Hide ▲

CVE-2026-4782 and CVE-2026-4798 in the Avada Builder WordPress plugin expose roughly one million sites to arbitrary file read and SQL injection risk. The file-read flaw can expose sensitive server files such as wp-config.php, while the SQL injection flaw is unauthenticated and affects `product_order` on sites with WooCommerce previously installed and deactivated. A fix was shipped in Avada Builder 3.15.3 after an initial patch in 3.15.2.

Related Happenings

WordPress.org closes compromised EssentialPlugin plugins with forced update

Security Tool/Service
First: 15.04.2026 23:33 Last: 15.04.2026 23:33 Sources 1

About this happening: **WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...

Open Happening

Timeline

  1. 13.05.2026 17:00 1 articles · 14d ago

    Rafie Muhammad reports two Avada Builder CVEs

    Technical Analysis Update

    Independent researcher Rafie Muhammad reports CVE-2026-4782 and CVE-2026-4798 in the Avada Builder WordPress plugin through the Wordfence Bug Bounty Program, starting the remediation timeline for the affected software.

    Show sources
    Open in new tab
  2. 13.05.2026 17:00 1 articles · 14d ago

    Wordfence shares full disclosure and Avada starts fix work

    Mitigation Patch Update

    Wordfence shares full disclosure with the Avada team, and the vendor begins work on a fix for the Avada Builder WordPress plugin vulnerabilities.

    Show sources
    Open in new tab
  3. 13.05.2026 17:00 1 articles · 14d ago

    Avada Builder 3.15.2 ships the initial patch

    Mitigation Patch Update

    Avada releases version 3.15.2 as the first patch for the Avada Builder WordPress plugin vulnerabilities, beginning remediation before the later complete fix.

    Show sources
    Open in new tab
  4. 13.05.2026 17:00 2 articles · 14d ago

    Wordfence warns that Avada Builder flaws affect around one million sites

    Victim Impact Update

    Wordfence warns that CVE-2026-4782 and CVE-2026-4798 in the Avada Builder WordPress plugin place around one million sites at risk of arbitrary file read and SQL injection attacks, and Avada Builder version 3.15.3 provides the complete fix.

    Show sources
    Open in new tab