Avada Builder WordPress plugin flaws allow site credential theft

Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database.

One of the flaws is tracked as CVE-2026-4782 and can be exploited in all versions of the plugin through 3.15.2 by an authenticated users with at least subscriber-level access to read the contents of any file on the server.

The other security issue received the identifier CVE-2026-4798 and is an SQL injection that can be leveraged without authentication. However, exploitation is possible only if the WooCommerce e-commerce plugin for WordPress has been enabled and then deactivated.

Avada Builder is a drag-and-drop webpage builder plugin for the Avada WordPress theme that lets you create and customize website layouts, content sections, and design elements without writing code.

The two issues were discovered by security researcher Rafie Muhammad, who reported them through the Wordfence Bug Bounty Program and received $3,386 and $1,067, respectively, for the findings.

Avada Builder WordPress plugin flaws allow site credential theft

Other newsrooms on this story

Related reading

Funnel Builder WordPress plugin bug exploited to steal credit cards

Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin

Secure Your WordPress Website Now — 8.7 Million Attacks In 48 Hours

Finance company stored their DB credentials in spreadsheet

Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass

Critical cPanel exploited: 'Millions' of sites could be hit