Avada Builder Flaws Expose One Million WordPress Sites to File Read and SQL Injection Attacks

Wordfence threat intelligence researchers have disclosed critical security vulnerabilities in the Avada Builder WordPress plugin, a widely deployed page builder tool, potentially exposing approximately one million WordPress installations to remote attacks. The flaws combine an arbitrary file read vulnerability and a SQL injection weakness, a pairing that could allow attackers to extract sensitive system data, manipulate database content, or escalate access under specific conditions.

The arbitrary file read vulnerability enables authenticated attackers—particularly those with contributor-level access or higher—to read arbitrary files from the server hosting the WordPress installation. When chained with the SQL injection flaw, this access could be leveraged to extract database credentials, retrieve user session tokens, or harvest other credentials stored on the filesystem. Avada Builder, developed by ThemeFusion, is one of the most popular WordPress page builders, making the affected install base exceptionally broad. Wordfence issued its disclosure following responsible coordination with the vendor.

Site administrators running Avada Builder should treat this disclosure as high-priority. Patching to the latest vendor-released version is the immediate recommended action. Organizations unable to patch immediately should consider restricting contributor-level access, reviewing server-side file permissions, and monitoring for unusual database query patterns. Given the plugin's prevalence across managed WordPress hosting environments, the disclosure is likely to draw sustained attention from both threat intelligence teams and active exploit developers.