Full Report
Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database. [...]
Analysis Summary
# Vulnerability: Critical Flaws in Avada Builder WordPress Plugin
## CVE Details
- **CVE ID:** CVE-2026-4782
- **CVSS Score:** 8.8 (High) - *Note: While the article mentions "medium-severity" due to authentication requirements, the impact level aligns with High/Critical in standard scoring for arbitrary file reads.*
- **CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / Arbitrary File Read)
- **CVE ID:** CVE-2026-4798
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-89 (SQL Injection)
## Affected Systems
- **Products:** Avada Builder plugin for WordPress
- **Versions:**
- CVE-2026-4782: All versions up to and including **3.15.2**
- CVE-2026-4798: All versions up to and including **3.15.1**
- **Configurations:**
- For CVE-2026-4782: Requires an authenticated user with at least **Subscriber-level** access.
- For CVE-2026-4798: Requires the **WooCommerce** plugin to have been previously enabled and subsequently **deactivated**, with its database tables still present.
## Vulnerability Description
- **CVE-2026-4782 (Arbitrary File Read):** The flaw exists within the plugin’s shortcode-rendering functionality. Specifically, the `custom_svg` parameter fails to properly validate file types or sources. This allows an attacker to include and read the contents of local files on the server (e.g., `wp-config.php`).
- **CVE-2026-4798 (SQL Injection):** This is a time-based blind SQL injection flaw. User-controlled input via the `product_order` parameter is concatenated into an SQL `ORDER BY` clause without sufficient sanitization or query preparation.
## Exploitation
- **Status:** PoC available (reported via bug bounty; details published by Wordfence). No widespread exploitation in the wild confirmed in text, but risk is high.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Access to database credentials, cryptographic keys, and password hashes).
- **Integrity:** High (Potential for full site takeover if `wp-config.php` is read or admin sessions are hijacked).
- **Availability:** Medium (Potential for database disruption through SQLi).
## Remediation
### Patches
- **Version 3.15.2:** Provided a partial fix.
- **Version 3.15.3:** Released May 12, 2026. This is the **fully patched version** that addresses both vulnerabilities.
### Workarounds
- Disable user registration if not required (mitigates CVE-2026-4782).
- Ensure that if WooCommerce is not in use, its legacy database tables are fully purged (mitigates CVE-2026-4798). *Note: Patching is the only comprehensive solution.*
## Detection
- **Indicators of Compromise:**
- Review web server access logs for unusual requests involving shortcodes or the `custom_svg` parameter targeting sensitive files like `wp-config.php`.
- Check for unusual delays in database query responses, which may indicate time-based blind SQL injection attempts using the `product_order` parameter.
- **Detection methods and tools:** Wordfence and other WordPress security scanners can be used to identify vulnerable versions of the plugin.
## References
- **Vendor Advisory:** hxxps[://]www[.]wordfence[.]com/blog/2026/05/1000000-wordpress-sites-affected-by-arbitrary-file-read-and-sql-injection-vulnerabilities-in-avada-builder-wordpress-plugin/
- **BleepingComputer:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/avada-builder-wordpress-plugin-flaws-allow-site-credential-theft/