CVE-2026-4798

Name of the Vulnerable Software and Affected Versions Avada Builder versions prior to 3.15.2

Description The Avada Builder plugin for WordPress contains a time-based SQL Injection, a technique where an attacker sends queries that cause the database to pause for a specific duration to determine if a condition is true. This occurs via the 'product order' parameter due to insufficient escaping of user-supplied data and lack of proper preparation of the SQL query. Unauthenticated attackers can append additional SQL queries to extract sensitive information from the database. This issue only affects sites where WooCommerce was previously installed and subsequently deactivated. Approximately 1 million sites are estimated to be at risk.

Recommendations Update to a version newer than 3.15.1.