CVE-2026-4782

EUVD-2026-29933

13.05.2026, 13:01

The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of the 'fusion_section_separator' shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability was partially patched in version 3.15.2 and fully patched in version 3.15.3.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 12%

Common Weakness Enumeration

CWE-36 - Absolute Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

Vulnerability Media Exposure

[ENGLISH] Avada Builder Flaws Expose One Million WordPress Sites
Avada Builder flaws allowed file read and SQL injection on one million WordPress sites
Published: 2026-05-13T14:00:00+00:00

References

https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226

https://www.wordfence.com/threat-intel/vulnerabilities/id/86346be9-7ca6-49b7-83b2-01a335d48c94?source=cve