The Avada Builder plugin, with more than 1 million active installations, was found to be vulnerable to arbitrary file read and SQL injection vulnerabilities that could allow attackers to access sensitive files and extract database information from affected sites. The issues affect versions up to 3.15.2 and 3.15.1, respectively, with fixes released in versions 3.15.2 and 3.15.3.
The security issues were discovered by security researcher Rafie Muhammad through the Wordfence Bug Bounty Program, earning bounty rewards of $3,386 and $1,067, respectively.
Root cause of the issues
The arbitrary file read vulnerability was linked to the plugin’s fusion_get_svg_from_file() function, which is used to load SVG content for the fusion_section_separator shortcode. In vulnerable versions, the function did not enforce sufficient file type or source validation, making it possible for authenticated attackers with Subscriber-level access and above to read arbitrary files on the server, including sensitive files such as wp-config.php.
The SQL injection vulnerability was tied to the plugin’s post_query() function in the FusionSC_PostCards class, which handles the plugin’s post card items query functionality. According to the disclosure, the product_order parameter was sanitized using sanitize_text_field(), but the value was later inserted directly into an ORDER BY statement without using the WordPress wpdb prepare() function, potentially allowing attackers to use a time-based blind approach to extract database information. The disclosure noted that the issue could only be exploited if WooCommerce had previously been used and then deactivated.
The patch
The Avada team released a partial patch in version 3.15.2 on April 13, 2026, followed by a full fix in version 3.15.3 on May 12, 2026.