Two vulnerabilities in the Avada Builder WordPress plugin can let attackers read arbitrary files or extract sensitive database data, including credentials and password hashes. Wordfence says both flaws were fixed in version 3.15.3, and site owners should update immediately to protect installations of the widely used plugin. #AvadaBuilder #CVE-2026-4782 #CVE-2026-4798 #Wordfence #WooCommerce
Keypoints
- Avada Builder has two vulnerabilities affecting versions through 3.15.2 and 3.15.1.
- CVE-2026-4782 allows authenticated users with subscriber-level access to read arbitrary files.
- The file-read flaw can expose wp-config.php and other sensitive server data.
- CVE-2026-4798 is an unauthenticated SQL injection linked to a product_order parameter issue.
- Wordfence urges administrators to upgrade to Avada Builder 3.15.3 as soon as possible.