Avada Builder Flaws Expose One Million WordPress Sites

## Executive summary Two vulnerabilities in the Avada Builder WordPress plugin were disclosed and patched: CVE-2026-4782 (authenticated arbitrary file read via an SVG shortcode allowing exposure of files like wp-config.php) and CVE-2026-4798 (unauthenticated time-based SQL injection via the product_order parameter on sites that previously had WooCommerce). The vendor released fixes (3.15.2/3.15.3) and site owners are advised to update immediately, audit subscriber accounts, rotate credentials if compromise is suspected, and check for suspicious ajax traffic.