- Wordfence revealed two flaws in Avada Builder, a WordPress plugin with around 1 million active installations
- CVE-2026-4782 (Arbitrary File Read, Medium Severity) requires subscriber-level access; CVE-2026-4798 (SQL injection, high severity) exploitable without authentication
- Patches released in April and May 2026; Users are recommended to upgrade to v3.15.3+; Investigator Rafie Muhammad obtained a reward of approximately $4,500.
A popular WordPress plugin with approximately one million active installations contained two vulnerabilities that could have allowed malicious actors to leak sensitive data, such as password hashes and other valuable information.
Security researchers at Wordfence said that researcher Rafie Muhammad alerted them to the existence of an arbitrary file read and SQL injection vulnerability in Avada Builder.
Avada Builder is a drag and drop page builder for WordPress that is part of ThemeFusion’s Avada ecosystem, with over 1,050,000+ active installations right now. With it, users can create websites without needing to learn or write code. It works by dragging and dropping different elements such as text blocks, images, sliders, buttons, forms, pricing tables, and layouts onto a page, and customizing them in real time.
Patches available
The only prerequisite to be able to take advantage of the first bug is to have at least subscriber-level access, which shouldn’t be too difficult on most sites. This bug, now tracked as CVE-2026-4782, was assigned a severity score of 6.5/10 (medium).
The SQL injection vulnerability, on the other hand, can be exploited even by unauthenticated attackers to extract sensitive data from the database, including hashed passwords. This is now tracked as CVE-2026-4798 and was assigned a slightly higher severity score of 7.5/10 (high).
Wordfence said that the flaws were revealed to the Avada team on March 24 and 25, 2026, and that the developers returned with patches within two months: one on April 13 and the other on May 12.
Users running Avada Builder on their website are recommended to update the plugin to version 3.15.3 or later as soon as possible.
Muhammad received approximately $4,500 in reward for his troubles, Wordfence confirmed.
“Applause to Rafie Muhammad, who responsibly discovered and reported these vulnerabilities through the Wordfence Bug Bounty program,” he wrote in his report.
“Our mission is to protect WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through vulnerability detection and prevention, which is a critical element of the multi-layered security approach.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
