Become a TechRadar Insider
- Wordfence disclosed two flaws in Avada Builder, a WordPress plugin with around 1 million active installs
- CVE‑2026‑4782 (Arbitrary File Read, medium severity) requires subscriber‑level access; CVE‑2026‑4798 (SQL injection, high severity) exploitable unauthenticated
- Patches released in April and May 2026; users advised to update to v3.15.3+; researcher Rafie Muhammad earned ~$4,500 bounty
A popular WordPress plugin with roughly a million active installations contained two vulnerabilities that could have allowed malicious actors to exfiltrate sensitive data, such as password hashes and other valuable information.
Security researchers at Wordfence said they were tipped off by a researcher Rafie Muhammad about the existence of an Arbitrary File Read and an SQL Injection vulnerability in Avada Builder.
Avada Builder is a drag-and-drop page builder for WordPress that comes as part of the Avada ecosystem by ThemeFusion, with more than 1,050,000+ active installations right now. With it, users can build websites without needing to learn or write code. It works by dragging and dropping different elements like text blocks, images, sliders, buttons, forms, pricing tables, and layouts onto a page, and customizing them in real time.
Patches available
The only prerequisite to be able to exploit the first bug is to have at least subscriber-level access, which shouldn’t be too difficult on most sites. This bug, now tracked as CVE-2026-4782, was assigned a severity score of 6.5/10 (medium).
The SQL injection vulnerability, on the other hand, can be exploited even by unauthenticated attackers, to extract sensitive data from the database, including hashed passwords. This one is now tracked as CVE-2026-4798 and was assigned a slightly higher severity score - 7.5/10 (high).
Wordfence said the flaws were disclosed to the Avada team on March 24 and 25, 2026, and the developers came back with patches within two months - one on April 13, and the other on May 12.
Users running Avada Builder on their website are advised to update the plugin to version 3.15.3 or newer as soon as possible.
Muhammad was paid roughly $4,500 in bounty for his troubles, Wordfence confirmed.
"Props to Rafie Muhammad who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program," it wrote in its report.
"Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security."
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.