Avada Builder WordPress plugin flaws allow site credential theft

📅 15 May 2026 at 15:56 UTC📰 Bleeping ComputerView original source ↗

Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database. [...]

🤖 AI BriefingAuto-generated threat analysis

🔍Threat Overview

Two vulnerabilities in the Avada Builder WordPress plugin allow hackers to read arbitrary files and extract sensitive information from the database, posing a significant risk to websites with active installations.

⚙️Technical Details

💥Impact Assessment

Severity: High

🛡️Recommended Actions

1Update to Avada Builder version 3.15.3 as soon as possible

2Disable WooCommerce plugin if not in use

3Regularly review and update WordPress plugins and themes

📦Affected Products

Product Name: Avada Builder WordPress pluginVersion Range: 3.15.1 - 3.15.2

🔐NVD Verified DataVERIFIED

CVE-2026-4782 ↗CVSS 6.5 — MEDIUM

Attack Vector

NETWORK

Complexity

LOW

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CWE-36

CVE-2026-4798 ↗CVSS 7.5 — HIGH

Attack Vector

NETWORK

Complexity

LOW

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CWE-89

Read the full article

This is a curated summary. The complete article is available at Bleeping Computer.

Read on Bleeping Computer ↗

← Back to feed