Two vulnerabilities found in popular WordPress plugin Avada Builder

Based on information from Tech Radar, two security flaws were discovered in Avada Builder, a widely used WordPress plugin with approximately one million active installations. These vulnerabilities could have potentially allowed unauthorized access to sensitive user data.

The vulnerabilities, disclosed by Wordfence, include an arbitrary file read flaw (CVE-2026-4782) requiring subscriber-level access and a high-severity SQL injection flaw (CVE-2026-4798) exploitable without authentication. The SQL injection vulnerability could enable attackers to extract sensitive data, including password hashes, directly from the website's database.

Patches for these issues were released by the developers in April and May 2026, with users strongly advised to update to version 3.15.3 or later. The researcher who discovered these flaws, Rafie Muhammad, was awarded a bounty of around $4,500 through the Wordfence Bug Bounty Program.

Source: Tech Radar