23 May 2026 Vulnerability

Avada Builder CVE-2026-4798: SQL Injection and File Read Flaws Leave 1 Million WordPress Sites Exposed

Two security vulnerabilities disclosed in the Avada Builder WordPress plugin this month have exposed over one million websites to database credential theft and server file exposure. With a patch now available, Australian WordPress site owners — particularly those running WooCommerce shops — need to act before attackers automate exploitation.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

Two CVEs, One Million Exposed Sites: What Was Disclosed

Security researcher Rafie Muhammad reported two security flaws in Avada Builder to Wordfence's bug bounty programme in late March 2026. Avada Builder is a page-builder plugin bundled with the Avada theme — the most consistently top-selling premium WordPress theme on ThemeForest — and is active on approximately 1,050,000 websites worldwide.

The National Vulnerability Database published both CVEs on 13 May 2026. Bleeping Computer and Infosecurity Magazine both reported on the disclosures under the headline "Avada Builder WordPress plugin flaws allow site credential theft."

The two vulnerabilities are:

CVE-2026-4798 — A time-based SQL injection rated CVSS 7.5 (High). Unauthenticated attackers can inject additional SQL queries through the product_order parameter in the plugin's ORDER BY clause, extracting sensitive database contents including hashed user passwords and authentication keys. The attack is conditional: exploitation requires that WooCommerce was previously installed on the site and then deactivated, rather than still being fully active.
CVE-2026-4782 — An arbitrary file read rated CVSS 6.5 (Medium). An authenticated user with Subscriber-level access or above can call the fusion_section_separator shortcode with a malicious custom_svg parameter, forcing the server to return the contents of any file on the server — including wp-config.php, which stores database credentials and cryptographic salts. The flaw was partially addressed in Avada Builder 3.15.2 and fully patched in 3.15.3.

Both vulnerabilities were fully patched in Avada Builder version 3.15.3, released on 12 May 2026 — one day before the NVD publication date. Sites still running version 3.15.2 or earlier remain exposed to both flaws.

Wordfence's Threat Intelligence feed listed both CVEs as having no known active exploitation at time of disclosure, consistent with coordinated responsible disclosure practice. However, once a CVE is published and patch diffs are analysed by the security community, exploitation windows typically narrow from weeks to days as automated scanning tools incorporate new signatures. The SQL injection flaw in particular is well-suited to automation: tools such as sqlmap can run time-based blind injection attacks against a target URL with minimal configuration.

Why Australian WordPress Site Owners Are Directly in the Frame

WordPress powers roughly 43 per cent of all websites globally, and its share among Australian small-business websites is at least as high. Avada is the best-selling premium theme on ThemeForest and has been for over a decade; its bundled page builder is the tool many Australian agencies and freelancers reach for when building client sites for retailers, professional services firms, and hospitality businesses.

The condition for CVE-2026-4798 — that WooCommerce must have been previously installed and then deactivated — sounds like a narrow edge case. In practice, it is surprisingly common. Site migrations, theme changes, and trial deployments frequently leave WooCommerce installed and inactive. A WooCommerce table structure can persist in the database long after the plugin appears to have been removed, and the vulnerable code path does not check whether WooCommerce is currently active — only whether the database tables it expects to query are present.

For Australian small businesses, the practical exposure is significant:

A successful exploitation of CVE-2026-4798 against a site that once ran WooCommerce can return password hashes and authentication keys from the database — even if the site no longer processes payments.
CVE-2026-4782 requires only a registered user account. On sites that allow user registration (common for membership sites, booking platforms, and local news portals), the barrier to exploiting this flaw is a single sign-up form.

The Australian Signals Directorate's Essential Eight framework lists Patch Applications as one of its eight foundational mitigation strategies. At Maturity Level 1, the expectation is that internet-facing services are patched within one month of a vendor release. Avada Builder 3.15.3 has been available since 12 May 2026, which means the Essential Eight one-month patching window closes on 12 June 2026 for organisations tracking this framework. For those operating at Maturity Level 2, the window for vulnerabilities rated Critical or High is two weeks — meaning the window for CVE-2026-4798 closes on 26 May 2026. That is three days from today.

The ASD publishes no specific advisory for Avada Builder at the time of writing, but the ACSC's general guidance on plugin patching, combined with CVSS 7.5 classification by the NVD, places both flaws within mandatory patching scope for any organisation applying the Essential Eight seriously.

How the Vulnerabilities Work: A Technical Breakdown

CVE-2026-4798: Time-Based Blind SQL Injection

The vulnerability exists in Avada Builder's product ordering functionality. When a page uses WooCommerce product grid shortcodes, the plugin accepts a product_order parameter that is appended directly into an SQL ORDER BY clause without proper sanitisation or prepared statement handling. Because ORDER BY clauses cannot use parameterised placeholders in standard SQL, this class of injection requires a different mitigation — typically strict allowlisting of valid sort fields — which the Avada team had not implemented prior to version 3.15.3.

The injection technique is time-based blind: attackers cannot read database responses directly, but they can infer data by measuring server response delays caused by injected SLEEP() or BENCHMARK() calls. This allows systematic extraction of database content character by character. Automated tools handle this entirely without manual intervention, meaning the effective skill floor for this attack is minimal once a proof-of-concept is circulating.

A successful exploitation of CVE-2026-4798 yields:

Usernames and email addresses for all registered accounts from the wp_users table
WordPress password hashes (bcrypt-based, but subject to offline cracking with modern GPU hardware, particularly for weak or reused passwords)
The contents of wp_options, which stores authentication keys and security salts — these can be used to forge session cookies and bypass password authentication entirely

CVE-2026-4782: Arbitrary Server File Read

The fusion_section_separator shortcode includes a custom_svg parameter intended to accept a path to an SVG file for decorative section dividers. Avada Builder 3.15.2 and earlier passed this parameter to the fusion_get_svg_from_file() function, which reads and returns file contents, without adequately validating that the supplied path points to an SVG file within the expected directory. A Subscriber-level user can supply a path such as ../../../../wp-config.php and the function returns the file's contents in the response.

The wp-config.php file is the most sensitive configuration file in a WordPress installation. It contains:

Database hostname, name, username, and password in plaintext
Authentication keys and security salts used to sign session tokens
Table prefix, useful for constructing targeted SQL queries
Any custom constants added by a hosting provider or developer, sometimes including third-party API keys

Version 3.15.2 introduced a partial mitigation that blocked obvious directory traversal strings, but independent security researchers confirmed that bypass techniques remained viable until the full fix landed in 3.15.3. The NVD entry for CVE-2026-4782 notes the partial patch was insufficient and that 3.15.3 is the minimum safe version, a position corroborated by Wordfence's disclosure notes.

Combined Impact

An attacker who chains both vulnerabilities — first reading wp-config.php with a subscriber account, then using the extracted database credentials to directly query the database — can achieve full site compromise without ever needing WordPress admin access. This combination of a medium-severity flaw and a high-severity flaw illustrates why CVSS scores should not be evaluated in isolation: the file read vulnerability rated 6.5 is the enabler that removes the precondition for the SQL injection's most damaging payloads.

What You Should Do Right Now

The most urgent action is updating Avada Builder to version 3.15.3 or later. You can check your current version in the WordPress admin dashboard under Plugins → Installed Plugins → Avada Builder. If you are running version 3.15.2 or earlier, update immediately before continuing with any other hardening steps.

If you are unsure whether WooCommerce was ever installed on your site — particularly on older or migrated sites — check your database for the presence of WooCommerce tables such as wp_woocommerce_sessions. If those tables exist, treat CVE-2026-4798 as a live risk until you have confirmed you are on 3.15.3 or later.

Review Your Access Logs

If you can access web server logs, search for requests containing product_order in the query string, particularly from unfamiliar IP addresses or unusual user agents. Time-based SQL injection tools generate repeated requests with slightly varying parameters and measurable timing anomalies. Requests containing SQL keywords such as SLEEP, BENCHMARK, or WAITFOR in parameter values are a clear indicator of active scanning.

For CVE-2026-4782, look for requests referencing the fusion_section_separator shortcode or containing file path fragments — particularly any request that includes wp-config in a parameter value. Most web application logs will capture these if your site runs Apache or nginx with standard access logging enabled.

Add a Web Application Firewall

A web application firewall (WAF) provides a layer of defence that operates independently of whether your plugins are patched. A WAF inspects incoming requests before they reach your application and blocks payloads that match known attack patterns — SQL injection strings, path traversal sequences, and unexpected parameter values among them.

Sucuri's WAF operates as a cloud-based reverse proxy, meaning it inspects all traffic before it reaches your server. For Australian small businesses running WordPress, this means that even if a new plugin vulnerability is disclosed on a Friday afternoon, the WAF's virtual patching rules can block exploitation attempts while you schedule the update during business hours. Sucuri also includes malware scanning, file integrity monitoring, and post-compromise cleanup — the last of which is directly relevant if your site was accessed before you could patch.

Patching is the fix; a WAF reduces the exposure window between disclosure and patch deployment. Both should be in place for any WordPress site that handles customer data or processes payments.

Building a More Resilient WordPress Site: Layered Defences for Australian Businesses

The Avada Builder disclosures are a useful prompt to audit your broader WordPress security posture. Two CVEs in a single popular plugin within a short window is not unusual for products of this complexity — the question is whether your site management practices mean you catch and address these quickly, or whether you discover them after the fact.

Plugin Hygiene

Audit every installed plugin on your site and ask two questions: is it actively maintained, and is it currently necessary? Plugins that are inactive — installed but deactivated — still represent an attack surface if their code is present on disk. As CVE-2026-4782 illustrates, shortcodes from deactivated plugins can sometimes still be invoked depending on how WordPress loads plugin code. Inactive plugins with no recent security updates should be removed entirely, not merely deactivated.

Restrict user registration to sites that genuinely need it. CVE-2026-4782 requires only Subscriber-level access, which means that on any WordPress site with open registration, this vulnerability was exploitable by anyone with an email address. Sites that do not require user accounts should have registration disabled under Settings → General → Membership.

Principle of Least Privilege for User Roles

Audit user roles on your site regularly. The Subscriber role should not carry the ability to trigger server-side file reads — that CVE-2026-4782 allowed this is a plugin design flaw, but you can reduce the blast radius by ensuring subscriber accounts belong to real, known users and that the Subscriber role has not been inadvertently elevated. Use a plugin like User Role Editor to audit what each role can do, and remove capabilities that are not required for your site's normal operation.

Align With ACSC Essential Eight Guidance

The ASD's Essential Eight Maturity Model applies to Australian businesses of all sizes, not just enterprise or government organisations. Patch Applications and Restrict Administrative Privileges are the two mitigation strategies most directly relevant to the Avada Builder flaws. For small businesses that do not have a dedicated IT function, the Essential Eight Maturity Level 1 controls are a practical starting point: they require patching within one month, disabling unnecessary features, and restricting admin access to those who need it.

For continuous protection between patch cycles, Sucuri provides 24/7 WordPress security monitoring, a cloud WAF with virtual patching, and malware removal as part of its service. For site owners who cannot dedicate time to watching vulnerability feeds, this kind of managed protection reduces the window between a public disclosure and a blocked exploit attempt. The file integrity monitoring component is particularly useful following an incident: if an attacker read your wp-config.php before you patched, file integrity monitoring will flag unexpected changes to core WordPress files that might indicate a persistence mechanism was dropped.

The combination of prompt patching, minimal plugin surface, restricted user registration, and a WAF is not expensive or technically difficult for an Australian small business to implement. The Avada Builder vulnerabilities — like the Burst Statistics flaw before them — show that the risk is real and that the path to compromise through a popular plugin can be straightforward once details are public.