In brief: Two security vulnerabilities (CVE-2023-3153 and CVE-2026-4798) in the Avada Builder WordPress plugin enable attackers to read configuration files with database access credentials or extract password hashes via SQL injection.
The WordPress plugin Avada Builder (approximately one million active installations) contains two security vulnerabilities that allow attackers to read arbitrary files and extract sensitive data from the database. One vulnerability requires authenticated access, while the other can be exploited unauthenticated under certain conditions.
Security researcher Rafie Muhammad discovered two critical vulnerabilities in the Avada Builder WordPress plugin. The first vulnerability (CVE-2023-3153) allows reading arbitrary files and affects all versions up to and including 3.15.23. Authenticated users with at least Subscriber-level access can access sensitive files such as wp-config.php through an improperly validated custom_svg parameter in the shortcode rendering function. This file typically contains database access credentials and cryptographic keys.
The second vulnerability (CVE-2026-4798) is a time-based blind SQL injection and affects Avada Builder up to version 3.15.1. It occurs because input from the product_order parameter is directly used in SQL ORDER BY clauses without sanitization or prepared statements. This vulnerability can be exploited unauthenticated, but requires a condition: the WooCommerce e-commerce plugin must have been installed and later deactivated while the database tables remained.
For a website administrator, both vulnerabilities are relevant: the first enables account takeover following access to wp-config.php, resulting in complete compromise of the website. The requirement for Subscriber-level access is not significant on many WordPress sites since user registration is often open. The second vulnerability allows extraction of password hashes and other database contents.
Security researcher Muhammad reported the vulnerabilities on March 21 via the Wordfence Bug Bounty Program and on March 24 to the Avada Builder developer. He received bounties of $3,386 and $1,067 respectively for his findings.
Source: ainews-dev.lumi-systems.io · Published May 17, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.5.2.