### Arbitrary File Read (CVE-2026-4782) A critical arbitrary file read vulnerability, tracked as **CVE-2026-4782**, affects **Avada Builder** plugin versions up to 3.15.2. Authenticated users with at least subscriber-level access can exploit this flaw to read the contents of any file on the server. This vulnerability stems from improper validation of file types and sources within the plugin's shortcode-rendering functionality, specifically the `custom_svg` parameter, as detailed by **Wordfence**. Access to sensitive files such as `wp-config.php`, which contains database credentials and cryptographic keys, can lead to complete site compromise. ### SQL Injection (CVE-2026-4798) Another severe vulnerability, **CVE-2026-4798**, is a time-based blind SQL injection flaw affecting **Avada Builder** versions through 3.15.1. This vulnerability can be exploited without authentication under specific conditions: the **WooCommerce** e-commerce plugin must have been enabled and then deactivated, leaving its database tables intact. Attackers can leverage this flaw by injecting malicious code into the `product_order` parameter, which is then inserted into an SQL `ORDER BY` clause without proper query preparation. Successful exploitation allows extraction of sensitive information from the site database, including password hashes. ### Discovery and Remediation Security researcher Rafie Muhammad discovered both vulnerabilities through the **Wordfence** Bug Bounty Program. The issues were reported to **Wordfence** on March 21st and subsequently to the **Avada Builder** publisher on March 24th. A partial fix was implemented in version 3.15.2, released on April 13th. A complete patch was delivered with version 3.15.3, released on May 12th. ### Recommendation Website owners and administrators using the **Avada Builder** plugin are strongly advised to update to version 3.15.3 immediately to mitigate these critical security risks.  ## The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)