Avada Flaw Widens Wordpress Security Risk Arabian Post

(MENAFN- The Arabian Post) clearfix">Two vulnerabilities in the Avada Builder plugin have exposed around one million WordPress websites to attacks that could reveal sensitive files or extract database information, prompting urgent calls for administrators to update to the fully patched version 3.15.3.

The flaws affect Avada Builder, also known as Fusion Builder, a widely used page-building plugin bundled with the Avada WordPress theme. The higher-rated issue, tracked as CVE-2026-4798, is an unauthenticated time-based SQL injection vulnerability affecting versions up to and including 3.15.1. The second, CVE-2026-4782, is an authenticated arbitrary file read vulnerability affecting versions up to and including 3.15.2. Both have now been addressed, with the final fix landing in version 3.15.3 on May 12, 2026.

Security analysis shows that the SQL injection flaw stems from insufficient handling of the product_order parameter. An unauthenticated attacker could potentially append malicious SQL instructions to existing queries and use timing-based techniques to infer sensitive database contents. The flaw carries a CVSS score of 7.5, placing it in the high-severity category. Its real-world exploitability is narrower than the headline install-base figure suggests, because it can be triggered only on sites where WooCommerce had previously been used and then deactivated.

The arbitrary file read flaw, rated 6.5, involves the fusiongetsvgfromfile function and the customsvg parameter of the fusionsection_separator shortcode. A user with Subscriber-level access or higher could use it to read files on the server, including configuration files that may contain database credentials, cryptographic salts or other secrets. The flaw was only partly mitigated in version 3.15.2 and fully patched in 3.15.3, making the latest update the baseline for administrators.

See also Google exits Pentagon drone contest

The disclosure timeline began when researcher Rafie Muhammad submitted both reports through a bug bounty programme on March 21, 2026. The file-read issue was validated and sent to the vendor on March 24, followed by the SQL injection issue on March 25. The developer released version 3.15.2 on April 13, fixing the SQL injection and partly addressing the file-read flaw, before issuing version 3.15.3 on May 12 with the full file-read patch.

The incident highlights a persistent weakness in the WordPress ecosystem: complex commercial themes and bundled builders often sit outside the standard WordPress. org update channel, leaving agencies and site owners dependent on valid licences, vendor portals and manual update workflows. Avada's own documentation lists Avada 7.15.3 as the latest version released on May 12, 2026, reinforcing the need for site owners to check both the theme and the associated builder plugin rather than assuming that a core WordPress update has resolved the risk.

Administrators running Avada Builder should verify the installed plugin version, update to 3.15.3 or later, and test key layouts after applying the patch. Sites still running 3.15.0, 3.15.1 or 3.15.2 remain exposed to at least one of the disclosed issues. Managed portfolios face a more complex task, as agencies may need to audit hundreds of client installations, check whether WooCommerce tables remain from past deployments and confirm whether any low-privilege user accounts could have been abused.

Post-patch checks should include reviewing administrator accounts, scanning for modified files, rotating database passwords and salts where file exposure is suspected, and checking access logs for unusual shortcode or product-order requests. The SQL injection flaw may not apply to every Avada installation, but the file-read vulnerability has broader reach across unpatched deployments. That distinction matters for risk prioritisation, not for delaying remediation.

See also OpenAI widens cyber access for public defenders

The Avada case also reflects the broader pressure on website operators as attackers increasingly target popular WordPress plugins and themes with large install bases. A single flaw in a widely deployed builder can affect corporate sites, e-commerce storefronts, blogs, campaign pages and agency-managed client portfolios. For small businesses, the operational challenge is often not understanding the advisory, but knowing which sites run the affected component and whether updates are being blocked by expired licences or compatibility concerns.

MENAFN16052026000152002308ID1111125235