Over a million WordPress sites affected by plugin errors – so patch now or face the consequences
Wordfence uncovered two flaws in Avada Builder, a WordPress plugin with around 1 million active installations CVE-2026-4782 (Arbitrary file reading, medium severity) requires subscriber-level access; CVE-2026-4798 (SQL injection, High Severity) can be exploited without authorization Patches released in April and May 2026; users are advised to update to v3.15.3+; Researcher Rafie Muhammad earned ~$4,500 bounty […]









