Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Iran-Linked MuddyWater Poses as Ransomware Gang to Mask Espionage

June 25, 2026

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
Facebook X (Twitter) Instagram
Thursday, June 25
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Avada Builder Flaws Expose One Million WordPress Sites
News

Avada Builder Flaws Expose One Million WordPress Sites

Team-CWDBy Team-CWDMay 13, 2026No Comments2 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Two newly disclosed vulnerabilities in the Avada Builder WordPress plugin have placed around one million sites at risk of arbitrary file read and SQL injection attacks.

According to analysis from Wordfence published on May 12, the flaws were reported by independent researcher Rafie Muhammad through the Wordfence Bug Bounty Program on March 21.

SVG Shortcode and Post Cards Flaws

The first issue, tracked as CVE-2026-4782, is an arbitrary file read flaw rated 6.5 on the Common Vulnerability Scoring System (CVSS).

It sits in the plugin’s fusion_get_svg_from_file function, which is invoked through the fusion_section_separator shortcode when a custom_svg parameter is supplied.

Because the function performs no file type or source validation, authenticated users with subscriber-level access can use it to read sensitive files on the server. These include wp-config.php, which holds WordPress’s database credentials, cryptographic keys and salts.

Read more on WordPress plugin vulnerabilities: Flaw in Slider Revolution Plugin Exposed 4m WordPress Sites

The second flaw, CVE-2026-4798, is a more severe unauthenticated time-based SQL injection in the product_order parameter, rated 7.5 (High).

Although the plugin calls sanitize_text_field() on the input, that function does not defend against SQL injection. The surrounding ORDER BY clause is concatenated into the query without using WordPress’s prepare() escaping.

The flaw is only exploitable on sites where WooCommerce was previously installed and then deactivated.

Disclosure and Patch Timeline

Wordfence shared full disclosure with the Avada team on March 24 and 25, and the vendor began work on a fix the same day.

The developer then shipped an initial patch in version 3.15.2 on April 13, followed by the complete fix in 3.15.3 on May 12.

Wordfence urged site owners to apply the update without delay. Defensive measures site administrators may also want to consider given the nature of the flaws include:

  • Auditing subscriber accounts created around the disclosure window

  • Rotating credentials stored in wp-config.php if compromise is suspected

  • Checking for unusual admin-ajax.php traffic referencing the affected shortcode

The disclosure marks the latest entry in Wordfence’s running record of Avada Builder vulnerabilities.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleMetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks
Next Article The Back Door Attackers Know About — and Most Security Teams Still Haven’t Closed
Team-CWD
  • Website

Related Posts

News

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026
News

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
News

Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

June 24, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

2025’s most common passwords were as predictable as ever

January 21, 2026

Managing risks to your loved one’s digital estate

April 2, 2026

Children and chatbots: What parents should know

January 23, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.