Critical Vulnerabilities in Avada Builder Plugin Expose 1 Million WordPress Sites to Attacks
On May 13, 2026, cybersecurity firm Wordfence disclosed two severe vulnerabilities in the Avada Builder WordPress plugin, a page builder bundled with the popular Avada theme by ThemeFusion. The flaws, discovered by researcher Rafie Muhammad and reported via Wordfence’s Bug Bounty Program, earned a combined bounty of $4,453. Approximately 1 million active websites are at risk of credential theft, database compromise, and full-site takeover.
The most critical flaw, CVE-2026-4798 (CVSS 7.5), is an unauthenticated SQL injection vulnerability affecting all versions of Avada Builder up to 3.15.1. The issue stems from improper sanitization of the product_order GET parameter in the plugin’s post_query() function, allowing attackers to execute time-based blind SQL injection attacks. Exploitation requires WooCommerce to have been previously installed and deactivated, leaving residual database tables. Successful attacks could extract password hashes and sensitive data by measuring server response delays.
The second vulnerability, CVE-2026-4782 (CVSS 6.5), enables arbitrary file read via the fusion_get_svg_from_file() function, triggered by the custom_svg parameter in the fusion_section_separator shortcode. Due to missing file validation and insufficient access controls, authenticated users with Subscriber-level access can read any server file, including wp-config.php, which contains database credentials and cryptographic salts. Attackers could forge admin sessions, create rogue accounts, and deploy backdoors.
Wordfence reported the vulnerabilities to ThemeFusion on March 24–25, 2026. A partial patch (3.15.2) addressing the SQL injection flaw was released on April 13, 2026, with the complete fix (3.15.3) arriving on May 12, 2026. Wordfence Premium, Care, and Response users received firewall protection on March 25, 2026, while free users gained coverage 30 days later.
Security analysts highlight that Avada Builder’s theme-bundled architecture complicates updates, as users cannot patch the plugin independently of the theme. Administrators are urged to upgrade to version 3.15.3 immediately and audit for unauthorized access or modified files.
Source: https://cyberpress.org/sql-injection-file-read-1m-avada/
ThemeFusion cybersecurity rating report: https://www.rankiteo.com/company/themefusion
"id": "THE1779092666",
"linkid": "themefusion",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1 million active websites',
'industry': 'Web Development (WordPress '
'Plugins/Themes)',
'name': 'ThemeFusion (Avada Theme/Builder)',
'type': 'Software Vendor'}],
'attack_vector': ['Unauthenticated SQL Injection via `product_order` '
'parameter',
'Authenticated File Read via `custom_svg` parameter'],
'customer_advisories': 'WordPress site owners using Avada Builder advised to '
'update immediately to mitigate risks of credential '
'theft and full-site takeover.',
'data_breach': {'file_types_exposed': ['wp-config.php', 'SVG files'],
'personally_identifiable_information': 'Possible (via '
'database compromise)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Password hashes',
'Database credentials',
'Cryptographic salts',
'Sensitive data']},
'date_detected': '2026-03-24',
'date_publicly_disclosed': '2026-05-13',
'date_resolved': '2026-05-12',
'description': 'On May 13, 2026, cybersecurity firm Wordfence disclosed two '
'severe vulnerabilities in the Avada Builder WordPress plugin, '
'a page builder bundled with the popular Avada theme by '
'ThemeFusion. The flaws, discovered by researcher Rafie '
'Muhammad and reported via Wordfence’s Bug Bounty Program, '
'earned a combined bounty of $4,453. Approximately 1 million '
'active websites are at risk of credential theft, database '
'compromise, and full-site takeover.',
'impact': {'data_compromised': ['Password hashes',
'Database credentials',
'Cryptographic salts',
'Sensitive data'],
'identity_theft_risk': ['Personally identifiable information '
'exposure'],
'operational_impact': ['Full-site takeover',
'Unauthorized access',
'Backdoor deployment'],
'systems_affected': ['WordPress sites using Avada Builder plugin '
'(up to version 3.15.1)']},
'investigation_status': 'Resolved',
'lessons_learned': 'Avada Builder’s theme-bundled architecture complicates '
'updates, as users cannot patch the plugin independently '
'of the theme. Proper input sanitization and access '
'controls are critical to prevent SQL injection and '
'arbitrary file read vulnerabilities.',
'post_incident_analysis': {'corrective_actions': ['Patch released (versions '
'3.15.2 and 3.15.3)',
'Firewall protection '
'deployed by Wordfence'],
'root_causes': ['Improper sanitization of '
'`product_order` parameter',
'Missing file validation and '
'insufficient access controls in '
'`fusion_get_svg_from_file()` '
'function']},
'recommendations': ['Immediately upgrade to Avada Builder version 3.15.3',
'Audit systems for unauthorized access or modified files',
'Enforce strict input validation and access controls in '
'plugin development'],
'references': [{'date_accessed': '2026-05-13', 'source': 'Wordfence'}],
'response': {'communication_strategy': 'Public disclosure by Wordfence on May '
'13, 2026',
'containment_measures': ['Firewall rules deployed by Wordfence'],
'recovery_measures': ['Upgrade to version 3.15.3',
'Audit for unauthorized access or modified '
'files'],
'remediation_measures': ['Patch released (versions 3.15.2 and '
'3.15.3)'],
'third_party_assistance': 'Wordfence (Bug Bounty Program, '
'Firewall Protection)'},
'stakeholder_advisories': 'Administrators urged to upgrade to version 3.15.3 '
'and audit for unauthorized access.',
'title': 'Critical Vulnerabilities in Avada Builder Plugin Expose 1 Million '
'WordPress Sites to Attacks',
'type': ['SQL Injection', 'Arbitrary File Read'],
'vulnerability_exploited': ['CVE-2026-4798 (CVSS 7.5)',
'CVE-2026-4782 (CVSS 6.5)']}