Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch Release
Summary
Hide ▲
Show ▼
Avada Builder shipped version 3.15.3 as the full fix for CVE-2026-4782 and CVE-2026-4798, closing the plugin flaws that could expose files and database data. A prior 3.15.2 release only partially fixed the issue, so the final patch matters for sites still running vulnerable builds. Site owners are urged to move to 3.15.3 to reduce the risk of credential theft and server-side data exposure.
Related Happenings
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch Release
First: 27.05.2026 13:06
Last: 27.05.2026 13:06
Sources 1
About this happening:
LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch ReleaseAbout this happening: LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...
Funnel Builder security patch release (version 3.15.0.3)
Security Patch Release
First: 16.05.2026 18:20
Last: 16.05.2026 18:20
Sources 1
About this happening:
**FunnelKit** released **version 3.15.0.3** to fix a **Funnel Builder** flaw that was being **actively exploited** to inject malicious JavaScript into **WooCommerce checkout pages...
Funnel Builder security patch release (version 3.15.0.3)
Security Patch ReleaseAbout this happening: **FunnelKit** released **version 3.15.0.3** to fix a **Funnel Builder** flaw that was being **actively exploited** to inject malicious JavaScript into **WooCommerce checkout pages...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/Mitigation
First: 14.05.2026 18:43
Last: 14.05.2026 18:43
Sources 1
About this happening:
**F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/MitigationAbout this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...
F5 security patch release for CVE-2026-42945
Security Patch Release
First: 14.05.2026 09:00
Last: 14.05.2026 09:00
Sources 1
About this happening:
F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...
F5 security patch release for CVE-2026-42945
Security Patch ReleaseAbout this happening: F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...
Latest development: 17.05.2026 14:57
VulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.
Linux kernel Dirty Frag patch release (CVE-2026-43284, CVE-2026-43500)
Security Patch Release
First: 11.05.2026 17:30
Last: 11.05.2026 17:30
Sources 1
About this happening:
**Major Linux distributions** are rolling out fixes for **Dirty Frag**, the **Linux kernel** patch release that covers **CVE-2026-43284** and **CVE-2026-43500**. The update matter...
Linux kernel Dirty Frag patch release (CVE-2026-43284, CVE-2026-43500)
Security Patch ReleaseAbout this happening: **Major Linux distributions** are rolling out fixes for **Dirty Frag**, the **Linux kernel** patch release that covers **CVE-2026-43284** and **CVE-2026-43500**. The update matter...
Timeline
-
15.05.2026 18:56 1 articles · 12d ago
Avada Builder flaws submitted to Wordfence
Initial DisclosureSecurity researcher Rafie Muhammad submitted CVE-2026-4782 and CVE-2026-4798 through the Wordfence Bug Bounty Program after finding arbitrary file read and SQL injection flaws in the Avada Builder WordPress plugin.
Show sources
- Avada Builder WordPress plugin flaws allow site credential theft — www.bleepingcomputer.com — 15.05.2026 18:56
-
15.05.2026 18:56 1 articles · 12d ago
Avada Builder publisher receives vulnerability report
Initial DisclosureRafie Muhammad reported CVE-2026-4782 and CVE-2026-4798 to the Avada Builder publisher after submitting them through the Wordfence Bug Bounty Program.
Show sources
- Avada Builder WordPress plugin flaws allow site credential theft — www.bleepingcomputer.com — 15.05.2026 18:56
-
15.05.2026 18:56 1 articles · 12d ago
Avada Builder 3.15.2 partial fix released
Mitigation Patch UpdateAvada Builder released version 3.15.2 as a partial fix for CVE-2026-4782 and CVE-2026-4798, but the plugin remained affected through 3.15.2 for the subscriber-level arbitrary file read and through 3.15.1 for the unauthenticated SQL injection.
Show sources
- Avada Builder WordPress plugin flaws allow site credential theft — www.bleepingcomputer.com — 15.05.2026 18:56
-
15.05.2026 18:56 2 articles · 12d ago
Avada Builder 3.15.3 fully patched release
Mitigation Patch UpdateAvada Builder released version 3.15.3 as the fully patched update for CVE-2026-4782 and CVE-2026-4798, closing the flaws that could expose wp-config.php and database contents on affected WordPress sites.
Show sources
- Avada Builder WordPress plugin flaws allow site credential theft — www.bleepingcomputer.com — 15.05.2026 18:56
- Avada Builder WordPress plugin flaws allow site credential theft — www.bleepingcomputer.com — 15.05.2026 18:56