Security researchers have disclosed two critical vulnerabilities in the Avada Builder plugin for WordPress — a theme builder used by an estimated one million active WordPress installations. The flaws allow unauthenticated attackers to read arbitrary files from the server and extract sensitive credentials directly from the database.
What Happened
The vulnerabilities affect Avada Builder, one of the most widely deployed commercial WordPress page builders. Exploitation of these bugs can give attackers access to database credentials stored in WordPress configuration files, effectively compromising entire hosting environments.
The two flaws allow:
- Arbitrary file read — attackers can request any file on the server, including
wp-config.php, which contains plaintext database credentials - Database credential extraction — once
wp-config.phpis accessed, full database access follows, exposing all user data, hashed passwords, and plugin settings
Affected Versions
All Avada Builder versions prior to the patched release are affected. Given the plugin's install base of approximately one million sites, the blast radius is significant. Sites running outdated versions are particularly at risk.
Technical Details
The file read vulnerability is classified as a path traversal or local file inclusion (LFI) type bug. The database extraction stems directly from the ability to read wp-config.php, which WordPress stores in plaintext by default.
Neither vulnerability requires authentication to exploit, making mass exploitation by automated scanners a real concern.
Recommended Actions
WordPress site administrators running Avada Builder should take immediate action:
- Update immediately to the latest patched version of Avada Builder via the WordPress plugin dashboard
- Rotate database credentials if you believe your site may have been targeted
- Review server logs for unusual file access patterns (GET requests to
wp-config.phpor similar paths) - Enable a WAF (Web Application Firewall) to block exploitation attempts while patches are applied
Broader Context
WordPress plugin vulnerabilities continue to be a primary attack vector for mass-targeting campaigns. Plugins with large install bases attract disproportionate attention from threat actors using automated scanning infrastructure. Keeping plugins updated and monitoring for unusual traffic are the most effective defenses.
The disclosure underscores the ongoing risk of trusting third-party plugin code on high-traffic WordPress deployments, particularly where plugins have deep access to the file system and database layer.
Source: BleepingComputer