Two critical vulnerabilities in the Avada Builder WordPress plugin allow attackers to steal site administrator credentials [1].
This security breach is significant because it affects approximately one million active installations [1], [2]. If exploited, the flaws grant unauthorized parties access to sensitive database information and internal files, potentially compromising the entire website infrastructure.
The vulnerabilities include an arbitrary file read flaw and a SQL-injection flaw [1]. These two gaps enable attackers to extract database contents and read arbitrary files from the server [1], [4]. Once an attacker gains this level of access, they can obtain the credentials necessary to take full control of a site's administration panel.
Analysis published on May 12, 2024, detailed how these flaws operate [2]. The vulnerabilities stem from the plugin developed by ThemeFusion, which is widely used for creating custom layouts on WordPress sites [1].
Security researchers said that the combined effect of these two flaws creates a direct path to credential theft [1]. Attackers do not need high-level permissions to begin the process of extracting data from the affected sites [1].
Approximately one million WordPress sites are estimated to be at risk due to the widespread use of the plugin [2]. Site owners are urged to update their software to the latest version to patch these holes and prevent unauthorized access to their data [1].
“Two critical vulnerabilities in the Avada Builder WordPress plugin allow attackers to steal site administrator credentials.”
The scale of this vulnerability highlights the systemic risk associated with popular third-party plugins in the WordPress ecosystem. Because a single plugin is shared across one million sites, a single coding error creates a massive attack surface for hackers. This incident underscores the necessity for automated update systems and regular security audits for site administrators to prevent widespread credential theft.
