TWO newly disclosed vulnerabilities in the Avada Builder WordPress plugin place around one million sites at risk of arbitrary file read and SQL injection attacks. According to Wordfence analysis published on 12 May, the flaws are CVE-2026-4782, an arbitrary file read flaw rated 6.5 CVSS, and CVE-2026-4798, a more severe unauthenticated time-based SQL injection rated 7.5.
The first issue sits in the fusion_get_svg_from_file function and allows reading sensitive files such as wp-config[.]php when a custom_svg parameter is supplied, while the second flaw affects the product_order parameter where the ORDER BY clause is concatenated into the query without proper prepare escaping. The flaws were disclosed to the Avada team on 24 and 25 March, with patches shipped in version 3.15.2 on 13 April and a complete fix in 3.15.3 on 12 May; site owners are urged to update promptly.
Exploitation is limited to sites where WooCommerce was previously installed and then deactivated, and the advisory recommends measures such as auditing subscriber accounts and rotating wp-config[.]php credentials if compromise is suspected.