CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Unauthenticated SQL Injection and Arbitrary File Read Vulnerabilities in Avada Builder WordPress Plugin Affect One Million Sites

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Two vulnerabilities in the Avada Builder WordPress plugin—CVE-2026-4782 and CVE-2026-4798—have exposed approximately one million WordPress sites to arbitrary file read and unauthenticated SQL injection attacks. The arbitrary file read flaw (CVSS 6.5) in the fusion_get_svg_from_file function allows authenticated subscribers to access sensitive server files, including wp-config.php. The unauthenticated SQL injection flaw (CVSS 7.5) in the product_order parameter targets sites with previously installed and deactivated WooCommerce installations. The vendor released patches in versions 3.15.2 (April 13) and 3.15.3 (May 12) following coordinated disclosure.

Timeline

  1. 13.05.2026 17:00 1 articles · 1h ago

    Avada Builder Plugin Vulnerabilities CVE-2026-4782 and CVE-2026-4798 Patched After Coordination

    Wordfence disclosed vulnerabilities in Avada Builder to the vendor on March 24–25, 2026. The vendor issued an initial fix in version 3.15.2 on April 13, 2026, followed by a complete patch in version 3.15.3 on May 12, 2026. Site administrators are advised to apply updates immediately to mitigate risks of arbitrary file read and SQL injection.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-4782 is an arbitrary file read vulnerability in the Avada Builder plugin’s fusion_get_svg_from_file function, triggered via the fusion_section_separator shortcode with a custom_svg parameter.

    First reported: 13.05.2026 17:00
    1 source, 1 article
    Show sources

  • Authenticated subscribers can exploit CVE-2026-4782 to read arbitrary files on the server, including wp-config.php, exposing WordPress database credentials, cryptographic keys, and salts.

    First reported: 13.05.2026 17:00
    1 source, 1 article
    Show sources

  • CVE-2026-4798 is an unauthenticated time-based SQL injection vulnerability in the product_order parameter, rated CVSS 7.5 (High), affecting sites where WooCommerce was previously installed and then deactivated.

    First reported: 13.05.2026 17:00
    1 source, 1 article
    Show sources

  • The SQL injection vulnerability arises because the product_order parameter is concatenated into an ORDER BY clause without proper escaping via WordPress’s prepare() mechanism, despite sanitization via sanitize_text_field().

    First reported: 13.05.2026 17:00
    1 source, 1 article
    Show sources

  • The Avada team received full disclosure from Wordfence on March 24–25, 2026, and released an initial patch in version 3.15.2 on April 13, followed by a complete fix in version 3.15.3 on May 12, 2026.

    First reported: 13.05.2026 17:00
    1 source, 1 article
    Show sources