1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Over a million WordPress sites hit in plugin flaw so patch now o

    From TechnologyDaily@1337:1/100 to All on Thursday, May 14, 2026 18:30:26
    Over a million WordPress sites hit in plugin flaw so patch now or face the consequences

    Date:
    Thu, 14 May 2026 17:25:00 +0000

    Description:
    A popular WordPress plugin was found carrying two flaws that can cause data leaks.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Wordfence disclosed two flaws
    in Avada Builder, a WordPress plugin with around 1 million active installs CVE20264782 (Arbitrary File Read, medium severity) requires subscriberlevel access; CVE20264798 (SQL injection, high severity) exploitable
    unauthenticated Patches released in April and May 2026; users advised to update to v3.15.3+; researcher Rafie Muhammad earned ~$4,500 bounty A popular WordPress plugin with roughly a million active installations contained two vulnerabilities that could have allowed malicious actors to exfiltrate sensitive data, such as password hashes and other valuable information.

    Security researchers at Wordfence said they were tipped off by a researcher Rafie Muhammad about the existence of an Arbitrary File Read and an SQL Injection vulnerability in Avada Builder. Avada Builder is a drag-and-drop page builder for WordPress that comes as part of the Avada ecosystem by ThemeFusion, with more than 1,050,000+ active installations right now. With it, users can build websites without needing to learn or write code. It works by dragging and dropping different elements like text blocks, images,
    sliders, buttons, forms, pricing tables, and layouts onto a page, and customizing them in real time. Latest Videos From You may like Around 500,000 WordPress websites could be at risk from crucial plugin security flaw Another worrying WordPress plugin security flaw could put 250,000 websites at risk Nearly a million WordPress websites could be at risk from this serious plugin security flaw Patches available The only prerequisite to be able to exploit the first bug is to have at least subscriber-level access, which shouldnt be too difficult on most sites. This bug, now tracked as CVE-2026-4782, was assigned a severity score of 6.5/10 (medium).

    The SQL injection vulnerability, on the other hand, can be exploited even by unauthenticated attackers, to extract sensitive data from the database, including hashed passwords. This one is now tracked as CVE-2026-4798 and was assigned a slightly higher severity score - 7.5/10 (high).

    Wordfence said the flaws were disclosed to the Avada team on March 24 and 25, 2026, and the developers came back with patches within two months - one on April 13, and the other on May 12.

    Users running Avada Builder on their website are advised to update the plugin to version 3.15.3 or newer as soon as possible. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

    Muhammad was paid roughly $4,500 in bounty for his troubles, Wordfence confirmed.

    "Props toRafie Muhammadwho discovered and responsibly reported these vulnerabilities through the WordfenceBug Bounty Program," it wrote in its report.

    "Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security." The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/over-a-million-wordpress-sites-hit-in-p lugin-flaw-heres-what-we-know


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)