Two security flaws in the Avada Builder WordPress plugin, which has around one million active installs, let attackers read arbitrary files and pull sensitive data from the database. One of the vulnerabilities is identified as CVE-2023-3153 and affects all versions up to and including 3.15. 23 by an authenticated user with at least subscriber-level access to read the contents of any file on the server. The other security issue was assigned the identifier CVE-26-4798 and is an SQL injection vulnerability that can be exploited without authentication. However, exploitation is only possible if the WooCommerce e-commerce plugin for WordPress has been enabled and subsequently deactivated. Avada Builder is a drag-and-drop page builder plugin for the Avada WordPress theme that allows users to create and customize website layouts, content sections, and design elements without writing any code. The two vulnerabilities were discovered by security researcher Rafie Muhammad, who reported them via the Wordfence Bug Bounty Program and was awarded $3,386 and $1,067 respectively for his findings. According to Wordfence, the arbitrary file read vulnerability can be exploited through the plugin’s shortcode-rendering feature using the custom_svg parameter. The problem is that the plugin fails to properly validate file types and sources, which permits unauthorized access to sensitive files like wp-config. PHP files, which usually hold database credentials and cryptographic keys. Access to wp-config. PHP can allow attackers to compromise an administrator account and take over the entire site. Although the vulnerability is rated medium severity because it requires subscriber-level access, this is not a significant barrier, since many WordPress sites allow user registration. The time-based blind SQL injection flaw, tracked as CVE-2026-33, affects Avada Builder versions up to 3.15.1. The vulnerability arises because user-supplied input from the product_order parameter is placed directly into an SQL ORDER BY clause without proper sanitization or prepared statements. This flaw allows unauthenticated attackers to extract sensitive data from the database, such as password hashes. The condition for exploiting this vulnerability is having previously used WooCommerce, then deactivated it, while keeping its database tables intact. The two vulnerabilities were reported to Wordfence on March 21 and to the Avada Builder developer on March 24.
BleepingComputer