Security Alert Summary
The Avada Builder plugin for WordPress contains a time-based SQL injection vulnerability in the product_order parameter in all versions up to and including 3.15.1. Due to insufficient escaping and lack of proper preparation of an existing SQL query, unauthenticated attackers can append SQL to extract sensitive data from the database. The issue is only exploitable if WooCommerce was previously used and then deactivated.
CVE Details
- CVE ID: CVE-2026-4798
- Affected component: Avada Builder plugin for WordPress
- Affected versions: All versions up to and including 3.15.1
- Published: May 13, 2026 1:01:55 PM
- Last modified: May 13, 2026 2:43:46 PM
- CVSS v3.1: Base Score 7.5, Severity HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Authentication / Privileges / User Interaction: No authentication required; Privileges Required: NONE; User Interaction: NONE
- Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE
- CWE / weakness: CWE-89 (SQL Injection)
Technical Details
The vulnerability is a time-based SQL injection in the product_order parameter. The plugin fails to sufficiently escape user-supplied input and does not adequately prepare the existing SQL query, allowing an attacker to append additional SQL statements to the query. This can be exploited to extract sensitive information from the database via time-based techniques.
Exploitation is limited by the requirement that WooCommerce was previously installed and then deactivated; only in that state can the vulnerable query path be reached as described. No specific functions or REST endpoints are named in the available description.
How This Could Impact Your Website
Imagine a site owner who has allowed multiple contributors and an external contractor to manage products and content. An unauthenticated attacker could exploit the product_order parameter to extract database data, which might include internal user email addresses, order metadata, or other stored information. That exposed information increases the risk of targeted phishing or social engineering against staff, contractors, or customers. The vulnerability does not indicate direct modification of data or availability loss, but disclosure of sensitive content can still harm operations and trust.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level accounts and external contractor access.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins, and verify whether WooCommerce was previously installed and deactivated.
- Monitor site activity and logs for unusual behavior, including unexpected database queries or data access patterns.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
