Avada Builder WordPress plugin flaws allow site credential theft

Avada Builder WordPress Plugin Flaws Allow Site Credential Theft

OverviewTwo security vulnerabilities in the Avada Builder plugin for WordPress have surfaced, affecting an estimated one million active installations. The flaws enable attackers to read arbitrary files on a server and extract sensitive database information. The issues were identified by a security researcher and disclosed through a bug bounty program, with patches released in successive updates. This post details what happened, how the flaws work, which versions are affected, and the patch timeline, without prescriptive recommendations.

Vulnerabilities at a Glance

• CVE-2026-4782 — Arbitrary File Read

• Description: An authenticated attacker with at least subscriber-level access can read contents of any file on the server by exploiting the plugin’s shortcode-rendering flow and a misused custom_svg parameter.

• Impact: Access to sensitive files such as wp-config.php, which commonly stores database credentials and cryptographic keys, potentially enabling site takeover or administrator account compromise.

• Scope: Affects Avada Builder versions up to and including 3.15.2. The flaw exists due to insufficient validation of file types and sources within the shortcode rendering pathway.

• CVE-2026-4798 — Time-Based Blind SQL Injection

• Description: An SQL injection flaw that can be exploited without authentication under certain conditions. Exploitation requires that WooCommerce is present on the site, has been used, and then deactivated, with the relevant database tables remaining intact.

• Impact: Unauthenticated attackers can extract information from the site’s database, including password hashes, through manipulation of a user-controlled input tied to the product_order parameter in an ORDER BY clause.

• Scope: Affects Avada Builder versions through 3.15.1. The exploit relies on specific interaction with WooCommerce’s state, making its feasibility contingent on the presence and deactivation of WooCommerce.

Discovery, Disclosure, and Remediation Timeline

• Discovery: Security researcher Rafie Muhammad identified both issues and reported them through a coordinated bug bounty program.
• Bug Bounty and Rewards: The findings were reported through the Wordfence Bug Bounty Program, fulfilling disclosure processes and resulting in monetary rewards for the researcher.
• Disclosure Timeline:
• March 21: Submissions to Wordfence Bug Bounty Program.
• March 24: Details communicated to the Avada Builder publisher.
• Patch Progress:
• April 13: Partial fix released as version 3.15.2, addressing at least one aspect of the vulnerabilities.
• May 12: Full patch released as version 3.15.3, addressing the issues comprehensively.
• Current Status: As of the latest information, Avada Builder version 3.15.3 is the fully patched release. Users running older versions remain at risk until they apply the update.

Technical Details and How the Flaws Operate

• Arbitrary File Read (CVE-2026-4782)

• Mechanism: The plugin’s shortcode rendering pathway, when combined with an improperly validated custom_svg parameter, allows an attacker to specify and retrieve contents of files outside the intended scope.

• Notable Risk Vectors: The vulnerability can reveal files that typically store configuration data and cryptographic materials, including wp-config.php, which can enable further exploitation if accessed by an attacker with any meaningful level of access.

• Access Requirements: Requires at least subscriber-level authentication. While this may appear limited, many WordPress sites offer user registrations and roles with such access.

• Time-Based Blind SQL Injection (CVE-2026-4798)

• Mechanism: User-controlled input from product_order is injected into an SQL ORDER BY clause without proper query parameterization or preparation, enabling blind extraction of data.

• Unauthenticated Exploitation: The flaw can be exploited by an unauthenticated actor under the right conditions, increasing the potential attack surface.

• Dependency on WooCommerce State: The exploit is contingent on WooCommerce being in use and then deactivated, with the related tables remaining intact, which creates a narrow but real opportunity for data exposure (including password hashes).

Impact and Risk Assessment

• Reach: The issues affect a broad base of WordPress sites using Avada Builder, given the plugin’s prominence and the number of installations.
• Severity Nuances:
• CVE-4782 (Arbitrary File Read) is medium severity in part because it requires subscriber access, which some sites may harden with registration controls; however, the risk is significant due to potential access to highly sensitive files.
• CVE-4798 (SQL Injection) carries high implications for data confidentiality and integrity, given its ability to expose password hashes and other sensitive database content, even if exploitation relies on a particular WooCommerce lifecycle (presence and deactivation).
• Potential Outcomes:
• Unauthorized retrieval of configuration data, including database credentials and cryptographic keys.
• Possibility of administrator account compromise and broader site takeover if sensitive configuration data falls into the wrong hands.
• Exposure of user data and other stored credentials depending on site configuration and database contents.

Patch History and Version Coverage

• Versions Affected:
• CVE-2026-4782: All versions up to 3.15.2 (inclusive) were susceptible to arbitrary file read under authenticated conditions.
• CVE-2026-4798: Versions through 3.15.1 were affected by the SQL injection vulnerability, with exploitation tied to WooCommerce state.
• Patched Release:
• Partial Fix: 3.15.2 released on April 13 addressed some aspects of the vulnerabilities.
• Full Patch: 3.15.3 released on May 12 resolved both CVEs comprehensively.
• Current Recommendation (Contextual, Not Prescriptive): The fully patched version is 3.15.3, and sites with these plugin versions should verify their installations and reflect the patched state in their maintenance records. Historical versions prior to 3.15.3 remain vulnerable to one or both flaws until updated.

Additional Context and Related Information

• The vulnerabilities were linked to the broader ecosystem around WordPress plugin security, highlighting how complex plugin architectures and user-supplied inputs can create multi-faceted attack surfaces.
• The disclosures underscore the role of bug bounty programs in accelerating vulnerability discovery and prompt responses from software publishers.
• Related topics include the importance of validating file access controls, sanitizing and parameterizing database queries, and the risk posed by long-lived or misconfigured third-party plugins on WordPress sites.

Patch Efficacy and Ongoing Monitoring

• Patch Effectiveness: The May 12 release (3.15.3) is described as fully addressing the two vulnerabilities, reducing the attack surface for sites running the updated version.
• Monitoring Considerations: Site administrators should monitor for any unusual file access patterns, unexpected database queries, and any signs of unauthorized access attempts that could indicate residual risk from older installations.

Closing NotesTwo distinct vulnerabilities in a widely used WordPress page builder illustrate how a combination of file-handling flaws and input-driven SQL logic can create serious security risks. The Avada Builder plugin’s shortcodes and parameter handling were at the center of the issues, revealing how critical it is to enforce strict validation and safe query practices in plugins that sit between a site’s front end and its database and configuration files. The path from discovery to patch demonstrates the value of coordinated disclosure, timely fixes, and clear versioning to reduce exposure across millions of WordPress sites.