Two Security Flaws Found in Avada Builder WordPress Plugin, Update to 3.15.3 Now

If your WordPress site uses Avada Builder, check which version you're running today. Two security flaws have been found in this plugin, and one of them doesn't even require an attacker to be logged in to your site.

Key takeaways

• Two vulnerabilities were disclosed in Avada Builder, a WordPress plugin with approximately one million active installations.
• One flaw (CVE-2026-4798) is a high-severity SQL injection that can be exploited without any authentication.
• The other flaw (CVE-2026-4782) is an arbitrary file read vulnerability requiring subscriber-level access.
• Patches were released in April and May 2026. Update to version 3.15.3 or later immediately.
• The flaws were discovered by researcher Rafie Muhammad, who received a bounty of around $4,500 through the Wordfence Bug Bounty Programme.

What are the two vulnerabilities?

Wordfence disclosed both flaws. Here's a plain-English breakdown of what each one does.

Vulnerability	CVE ID	Authentication needed	What an attacker can do
SQL injection	CVE-2026-4798	None (unauthenticated)	Extract sensitive data from your database, including password hashes
Arbitrary file read	CVE-2026-4782	Subscriber-level account	Read files stored on your server that should be private

The SQL injection flaw is the more alarming of the two. Because it requires no login whatsoever, anyone who knows about it can probe your site directly. If successfully exploited, an attacker could pull password hashes and other sensitive data straight out of your database, no account needed, no prior foothold on your site.

The arbitrary file read flaw is slightly harder to exploit because the attacker needs at least a subscriber-level account on your site. That's still a low bar on any site that allows user registration, so it shouldn't be dismissed.

Who is affected?

Avada Builder has approximately one million active installations, which makes this a wide-ranging issue. If you're running the Avada theme or the standalone Avada Builder plugin and haven't updated recently, there's a good chance you're still on a vulnerable version.

What should you do right now?

Update Avada Builder to version 3.15.3 or later. The developers released patches across April and May 2026 to address both flaws. Updating is straightforward from your WordPress dashboard under Plugins > Installed Plugins.

If you manage multiple WordPress sites or you're not sure which plugin versions you're running, this is exactly the kind of situation where a website maintenance plan pays for itself. Keeping plugins updated and monitored is one of the most effective things you can do to keep your site secure.

For broader peace of mind on your WordPress setup, our WordPress development and support service can help you stay on top of updates, remove unused plugins, and make sure your site isn't left exposed.

A note on the researcher

Rafie Muhammad discovered both vulnerabilities and reported them responsibly through the Wordfence Bug Bounty Programme. He was awarded a bounty of around $4,500 for the find. Responsible disclosure like this gives developers time to ship a fix before the details go public, which is why patching promptly matters so much once that window closes.

The bottom line

One unauthenticated SQL injection flaw across a plugin with a million installations is a serious situation. The fix is already available, so there's no reason to stay exposed. Update to Avada Builder version 3.15.3 or later today.

Not sure whether your site is up to date, or want someone to handle plugin updates and security monitoring for you? Get in touch with the team at IceBoxDesigns and we'll take it off your plate.