Over a million WordPress sites affected by plugin errors – so patch now or face the consequences

Wordfence uncovered two flaws in Avada Builder, a WordPress plugin with around 1 million active installations
CVE-2026-4782 (Arbitrary file reading, medium severity) requires subscriber-level access; CVE-2026-4798 (SQL injection, High Severity) can be exploited without authorization
Patches released in April and May 2026; users are advised to update to v3.15.3+; Researcher Rafie Muhammad earned ~$4,500 bounty

A popular WordPress plugin with around a million active installations contained two vulnerabilities that could have allowed malicious actors to exfiltrate sensitive data, such as password hashes and other valuable information.

Security researchers at Wordfence said they were tipped off by a researcher Rafie Muhammad about the existence of an arbitrary file reading and SQL Injection vulnerability in Avada Builder.

Avada Builder is a drag-and-drop page builder for WordPress that comes as part of the Avada ecosystem by ThemeFusion, with more than 1,050,000+ active installations right now. With it, users can build websites without having to learn or write code. It works by dragging and dropping different elements like text blocks, images, sliders, buttons, forms, price tables and layouts on a page and adjusting them in real time.

Patches available

The only requirement to exploit the first bug is to have at least subscriber-level access, which shouldn’t be too difficult on most sites. This bug, now tracked as CVE-2026-4782, was assigned a severity score of 6.5/10 (medium).

The SQL injection vulnerability, on the other hand, can be exploited even by unauthorized attackers to extract sensitive data from the database, including hashed passwords. This is now tracked as CVE-2026-4798 and was assigned a slightly higher severity rating – 7.5/10 (high).

Wordfence said the bugs were disclosed to the Avada team on March 24 and 25, 2026, and the developers came back with patches within two months — one on April 13 and the other on May 12.

Users running Avada Builder on their website are advised to update the plugin to version 3.15.3 or later as soon as possible.

Muhammad was paid about $4,500 in bounty for his trouble, Wordfence confirmed.

“Props to Rafie Muhammad who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program,” it wrote in its report.

“Our mission is to secure WordPress through defense in depth, which is why we invest in quality vulnerability research and partner with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through vulnerability detection and prevention, which is a critical element of the multi-layered approach to security.”