Security
Avada Builder Vulnerabilities: Update to Version 3.15.3 Now
By Steven | TrustYourWebsite2 min read
Source: BleepingComputer
Two vulnerabilities have been found in the Avada Builder WordPress plugin, reportedly affecting an estimated one million active installations, according to BleepingComputer. Website owners using this plugin are advised to update it immediately.
What happened?
According to BleepingComputer, two security flaws were identified in the Avada Builder plugin. Both carry the potential for serious harm to your website.
The first flaw, tracked as CVE-2026-4782, reportedly allows a logged-in user with basic access (such as a subscriber account) to read files on your server that should be private. This includes a file called wp-config.php, which contains your database credentials and security keys. Access to that file could allow an attacker to take over your site entirely.
The second flaw, tracked as CVE-2026-4798, is reportedly an SQL injection vulnerability. This means an attacker who is not even logged in could potentially extract sensitive information from your database, including password hashes. According to BleepingComputer, this particular flaw only applies if you previously had the WooCommerce plugin installed and then deactivated it, with its database tables still in place.
What has been fixed?
According to BleepingComputer, a partial fix was released in version 3.15.2 on April 13. A fully patched version, 3.15.3, followed on May 12. Website owners are advised to update to version 3.15.3 as soon as possible.
If you are unsure how to update a plugin, our security checklist for small businesses walks you through the steps. You may also want to read our guide on vulnerable WordPress plugins to understand how to keep your site protected going forward.
What does this mean for your website?
If your website uses the Avada Builder plugin, check your WordPress dashboard now and confirm you are running version 3.15.3 or higher. Leaving an outdated plugin in place, even for a short time, can expose your customer data and give attackers a way into your site. Keeping plugins updated is one of the simplest and most effective things you can do to protect your business online.
Check your website now
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkRelated articles
Security
FunnelKit Plugin Vulnerability Steals Payment Data
A critical, unauthenticated vulnerability in the FunnelKit Funnel Builder WordPress plugin (versions before 3.15.0.3) is being actively exploited to inject payment card skimmers into WooCommerce…
2 min read
Security
Exim CVE-2026-45185: Remote Code Execution Flaw Fixed
A critical use-after-free vulnerability (CVE-2026-45185) in Exim's GnuTLS backend allows unauthenticated remote code execution on mail servers, fixed in version 4.99.3.
2 min read
Security
TanStack npm Hack: 84 Malicious Packages Released
An attacker published 84 malicious versions of official TanStack npm packages between 19:20 and 19:26 UTC on May 11, 2026, delivering credential theft, self-propagation, and disk-wiping malware via a…
2 min read