Two critical failures reported this month in the visual builder Avada Builder for WordPress put at risk about a million sites: one allows the arbitrary reading of files on the server and the other is a blind SQL injection by time which can extract sensitive data. The finding was documented by Wordfence and disseminated following the research of the expert Rafie Muhammad, who received rewards for both findings; the initial technical information is published by Wordfence and serves as a reference for administrators and response teams. Wordfence explains the details and the plugin record and its number of facilities can be checked in the official WordPress repository. plugin page on WordPress.org
The failure traced as CVE-2026-4782 allows a user authenticated with minimum permission (subscriber level) to abuse short-code rendering functionality and the custom _ svg parameter to read any file accessible to the web server. This means that an attacker with a low-confidence account can recover sensitive files likewp-config.php, which contains database credentials and cryptographic keys. The exposure of that file facilitates the complete taking of the site, because with credentials you can climb privileges, clone the database or install back doors.
The second failure, identified as CVE-2026-4798, is a time-based SQL injection that affects versions up to 3.15.1 and is caused by the direct inclusion of the product _ order parameter in the ORDER BY clause without the proper preparation of the consultation. Although this vulnerability is exploited without authentication, it has an important condition: it is only usable if the site usedWooCommerceAnd then he deactivated it, leaving his tables intact in the database. In this scenario, an attacker can extract hashes of passwords and other sensitive data using time-blind exfiltration techniques.
The private report was sent to Wordfence and the plugin supplier at the end of March; partial and complete solutions were published in April and May: version 3.15.2 partially mitigates the problem and version 3.15.3 contains the full patch. Update to Avada Builder 3.15.3 is the immediate and non-negotiable action for all site managers using that plugin.
In addition to updating, those responsible must carry out containment and verification actions: check access records by short-code operating patterns and requests to the custom _ svg parameter, audit newly created or suspicious user accounts (because subscriber-level access is sufficient to exploit file reading) and review atypical consultations that indicate attempts to extract for time against the database. If the site used WooCommerce and was deactivated, it is appropriate to verify the integrity and content of its tables; if not needed, export and remove them after backup can remove the attack surface used by the SQLi.
If you suspect an intrusion, take response measures: change database credentials and the keys / salts defined inwp-config.php, force the restoration of administrative account passwords, scan the site for malicious web files (webshells) and compare recent backup to detect modifications. Implement WAF rules that block requests that attempt to abuse the custom _ svg parameter or inject payloads into ORDER BY can mitigate ongoing attempts while applying the correction.
Medium-term prevention involves policies that limit open user registration in public sites, a minimum privilege strategy for WordPress roles and strict validation of third-party plugin parameters prior to deployment. Maintaining an agile and test patch cycle in a pre-deployment controlled environment reduces the exposure window to similar vulnerabilities.
For technical reference and monitoring of EQs, the public details can be found in the national vulnerability database, which contains the identifiers and technical notes: CVE-2026-4782 in NVD and CVE-2026-4798 in NVD. Active surveillance, immediate updates and a rapid forensic response are the keys to minimizing impact if your site uses Avada Builder.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...