CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 18, 2026

1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws

Cybersecurity News Archived May 18, 2026 ✓ Full text saved

A widely used WordPress plugin powering over one million websites has been hit by two serious vulnerabilities that could allow attackers to steal sensitive data and access server files. Security researchers warn that the flaws in the Avada Builder plugin could be actively exploited if sites remain unpatched. The issues, discovered by researcher Rafie Muhammad through […] The post 1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws appeared first on Cyber Securit

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News 1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws By Abinaya May 18, 2026 A widely used WordPress plugin powering over one million websites has been hit by two serious vulnerabilities that could allow attackers to steal sensitive data and access server files. Security researchers warn that the flaws in the Avada Builder plugin could be actively exploited if sites remain unpatched. The issues, discovered by researcher Rafie Muhammad through the Wordfence Bug Bounty Program, include an arbitrary file read vulnerability (CVE-2026-4782) and a SQL injection flaw (CVE-2026-4798). These vulnerabilities affect Avada Builder versions up to 3.15.2 and 3.15.1, respectively. Avada Builder Flaws Arbitrary File Read Vulnerability The first flaw (CVE-2026-4782) allows authenticated users with minimal privileges, such as subscribers, to read sensitive files on the server. This vulnerability exists in the plugin’s handling of the “custom_svg” parameter within a shortcode. Due to missing validation checks, attackers can manipulate the function responsible for loading files and retrieve contents from arbitrary locations. This includes critical files like wp-config.php, which contains database credentials and security keys. In simple terms, a low-level user could trick the plugin into exposing confidential server data without needing admin access. The issue received a CVSS score of 6.5, indicating medium severity but high practical risk. SQL Injection Enables Data Theft The second vulnerability (CVE-2026-4798) is more severe, with a CVSS score of 7.5. It allows unauthenticated attackers to perform time-based SQL injection attacks through the “product_order” parameter. Because the plugin fails to sanitize database queries properly, attackers can inject malicious SQL commands. This can be used to extract sensitive data such as user credentials and password hashes from the database. Although exploitation requires a specific condition, WooCommerce must have been previously installed and later disabled; the attack remains highly impactful. Threat actors can use timing-based techniques, such as SQL SLEEP functions, to slowly extract information without producing direct output. The Avada development team released patches in two stages. Version 3.15.2 partially addressed the issues, while the final fix was delivered in version 3.15.3 on May 12, 2026. Website owners using Avada Builder are strongly advised to update to version 3.15.3 or later immediately. Update the plugin to the latest version. Review user roles and remove unnecessary subscriber accounts. Monitor logs for unusual database queries or file access. Use a web application firewall, such as Wordfence, for added protection. This incident highlights how even widely trusted plugins can introduce serious security risks if not regularly audited. With over a million active installations, the attack surface is massive, making such vulnerabilities attractive targets for threat actors. As attackers continue to automate the exploitation of known flaws, timely patching remains the most effective defense for WordPress site owners. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News New Critical Exim Mailer Allows Remote Attacker to Execute Arbitrary Code Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution Attacks New Exim BDAT GnuTLS Vulnerability Enables Code Execution Attacks Amazon Redshift JDBC Driver Vulnerabilities Enables Remote Code Execution Attacks Fast16 Malware Manipulated Nuclear Weapons Simulation Data to Sabotage Test Results Latest News Cyber Security News New Windows ‘MiniPlasma’ Zero-Day Let Attackers Gain SYSTEM Access – PoC Released Cyber Security News Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks Cyber Attack News Fast16 Malware Manipulated Nuclear Weapons Simulation Data to Sabotage Test Results Cyber Security News Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks Cyber Security News Grafana Labs Security Breach – Hackers Access GitHub and Download Codebase
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 18, 2026
    Archived
    May 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗