A vulnerability described as critical has been identified in themefusion Avada Builder Plugin up to 3.15.1 on WordPress. This affects the function product_order . Executing a manipulation can lead to sql injection. This vulnerability appears as CVE-2026-4798 . The attack may be performed from remote. There is no available exploit.