CVE-2026-4798 - Vulnerability Details

Description

The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if WooCommerce was previously used and then deactivated.

Published: 2026-05-13

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Avada Builder plugin for WordPress contains a time‑based SQL injection vulnerability in the product_order parameter in all releases through 3.15.1. The parameter is not properly escaped and the surrounding query is not prepared, allowing an attacker to append and execute arbitrary SQL statements. This can lead to extraction of sensitive database contents by unauthenticated users.

Affected Systems

The flaw exists in the themefusion Avada Builder plugin for WordPress, affecting all versions up to and including 3.15.1. An external attacker only needs a site that had WooCommerce installed in the past and subsequently deactivated; the presence of WooCommerce during the exploitation sequence is required only historically.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered moderate‑to‑high severity. The EPSS score is unavailable, and the flaw is not listed in the CISA KEV catalog, indicating no publicly known exploitation yet. The attack vector is purely HTTP, exploiting an unauthenticated request that includes a crafted product_order value. Because the vulnerability requires a specific historical configuration of WooCommerce, the risk to typical installations is limited but still significant enough to warrant remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

themefusion

Avada (Fusion) Builder

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.15.1

No data.

Vendor Product Confidence Versions

Themefusion

Fusion Builder

87%

Version	Status	Scheme	Platform
`[0,3.15.1]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Avada Builder to version 3.15.2 or later
If an update cannot be applied immediately, temporarily deactivate the Avada Builder plugin while hosting configuration is secured
Ensure any remnants of WooCommerce tables are removed or secured by following the product’s database cleanup procedures

Generated by OpenCVE AI on May 13, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
https://www.wordfence.com/threat-intel/vulnerabilities/id/22b55747-8b46-4812-9345-0db03500105f?source=cve

History

Thu, 14 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Themefusion Themefusion fusion Builder Wordpress Wordpress wordpress
Vendors & Products		Themefusion Themefusion fusion Builder Wordpress Wordpress wordpress

Wed, 13 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if WooCommerce was previously used and then deactivated.
Title		Avada Builder <= 3.15.1 - Unauthenticated SQL Injection via 'product_order' Parameter
Weaknesses		CWE-89
References		https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226 https://www.wordfence.com/threat-intel/vulnerabilities/id/22b55747-8b46-4812-9345-0db03500105f?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Themefusion Fusion Builder

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-13T09:26:12.863Z

Updated: 2026-05-13T10:48:19.553Z

Reserved: 2026-03-25T06:21:57.615Z

Link: CVE-2026-4798

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-13T13:01:55.760

Modified: 2026-05-13T14:43:46.717

Link: CVE-2026-4798

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:30:15Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object