Vulnerabilities Uncovered in Avada Builder
Security researchers have identified two serious security flaws in the Avada Builder plugin for WordPress, a tool used on more than one million websites. The vulnerabilities, discovered through the Wordfence Bug Bounty Program, could allow attackers to read sensitive server files and extract database information. The developer has released patches to address these issues, and site owners are urged to update immediately.
The first vulnerability involves an arbitrary file read flaw that affects plugin versions up to 3.15.2. This issue allows authenticated users with minimal privileges, such as subscribers, to access sensitive files on the server. By exploiting a shortcode parameter called custom_svg, attackers can retrieve critical files like wp-config.php, which stores database credentials and security keys. This flaw received a CVSS score of 6.5.
Impact and Scope of the SQL Injection Flaw
The second vulnerability is a more severe SQL injection flaw affecting versions up to 3.15.1. This issue, rated 7.5 on the CVSS scale, allows unauthenticated attackers to perform time-based SQL injection attacks through the product_order parameter. Due to improper query sanitization, attackers can extract sensitive data such as user credentials and password hashes from the database. Exploitation requires WooCommerce to have been previously installed and later disabled, but the potential impact remains high.
The Avada development team released patches in stages, with version 3.15.2 providing a partial fix and version 3.15.3 delivering the complete resolution on May 12, 2026. Website administrators are strongly advised to update the plugin to version 3.15.3 or later and to review user account permissions.
Source: Cyber Security News
