Two high-severity vulnerabilities were discovered in the Avada Builder WordPress plugin: an arbitrary file read flaw (CVE-2026-4782, CVSS 6.5) requiring subscriber access and a more critical SQL injection flaw (CVE-2026-4798, CVSS 7.5) exploitable without authentication to extract sensitive database data. The NVD lists CVE-2026-4782 as affecting Avada Builder up to version 3.15.2 and CVE-2026-4798 up to version 3.15.1. Users must update to Avada Builder version 3.15.3 or later to remediate both issues.
Vulnerability Management Two vulnerabilities found in popular WordPress plugin Avada Builder May 14, 2026 Share By SC Staff (Credit: Bilal Ulker – stock.adobe.com) Based on information from Tech Radar, two security flaws were discovered in Avada Builder, a widely used WordPress plugin with approximately one million active installations. These vulnerabilities could have potentially allowed unauthorized access to sensitive user data. The vulnerabilities, disclosed by Wordfence, include an arbitrary file read flaw (CVE-2026-4782) requiring subscriber-level access and a high-severity SQL injection flaw (CVE-2026-4798) exploitable without authentication. The SQL injection vulnerability could enable attackers to extract sensitive data, including password hashes, directly from the website's database. Patches for these issues were released by the developers in April and May 2026, with users strongly advised to update to version 3.15.3 or later. The researcher who discovered these flaws, Rafie Muhammad, was awarded a bounty of around $4,500 through the Wordfence Bug Bounty Program. Source: Tech Radar SC Staff Related Vulnerability Management Broadcom patches high-severity VMware Fusion flaw allowing local privilege escalation SC Staff May 14, 2026 The vulnerability is a time-of-check time-of-use (TOCTOU) flaw affecting operations performed by a SETUID binary. Patch/Configuration Management Fleet Device Management launches autonomous endpoint management platform SC Staff May 14, 2026 Fleet's new platform aims to shorten patch cycles from an industry average of 55 to 94 days to under two weeks, and in some cases, hours. Vulnerability Management Critical ‘NGINX Rift’ vulnerability discovered, present for 18 years SC Staff May 14, 2026 The vulnerability, with a CVSS v4 score of 9.2, resides in the ngx_http_rewrite_module and affects a significant portion of internet infrastructure due to NGINX's widespread use as a reverse proxy, load balancer, and more. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds