Avada Builder Vulnerabilities: Update to Version 3.15.3 Now

Two vulnerabilities have been found in the Avada Builder WordPress plugin, reportedly affecting an estimated one million active installations, according to BleepingComputer. Website owners using this plugin are advised to update it immediately.

What happened?

According to BleepingComputer, two security flaws were identified in the Avada Builder plugin. Both carry the potential for serious harm to your website.

The first flaw, tracked as CVE-2026-4782, reportedly allows a logged-in user with basic access (such as a subscriber account) to read files on your server that should be private. This includes a file called wp-config.php, which contains your database credentials and security keys. Access to that file could allow an attacker to take over your site entirely.

The second flaw, tracked as CVE-2026-4798, is reportedly an SQL injection vulnerability. This means an attacker who is not even logged in could potentially extract sensitive information from your database, including password hashes. According to BleepingComputer, this particular flaw only applies if you previously had the WooCommerce plugin installed and then deactivated it, with its database tables still in place.

What has been fixed?

According to BleepingComputer, a partial fix was released in version 3.15.2 on April 13. A fully patched version, 3.15.3, followed on May 12. Website owners are advised to update to version 3.15.3 as soon as possible.

If you are unsure how to update a plugin, our security checklist for small businesses walks you through the steps. You may also want to read our guide on vulnerable WordPress plugins to understand how to keep your site protected going forward.

What does this mean for your website?

If your website uses the Avada Builder plugin, check your WordPress dashboard now and confirm you are running version 3.15.3 or higher. Leaving an outdated plugin in place, even for a short time, can expose your customer data and give attackers a way into your site. Keeping plugins updated is one of the simplest and most effective things you can do to protect your business online.