Zero-Day Flaws in Avada Builder WordPress Plugin Expose Millions of Sites to Credential Theft

Urgent: Two Critical Vulnerabilities Discovered in Avada Builder Plugin

Two critical security flaws have been unearthed in the Avada Builder plugin for WordPress, a tool used on over one million active websites. The vulnerabilities allow attackers to read arbitrary files and extract sensitive information directly from the site's database, including user credentials and API keys.

Security researchers from Wordfence identified the issues and reported them to the plugin vendor. The flaws affect all versions of Avada Builder prior to version 3.3.1, which was released earlier today.

“These are zero-day vulnerabilities that can be exploited without any user interaction,” said Jane Doe, a senior security analyst at Wordfence. “Any site running the older version is at immediate risk of complete compromise.”

What the Flaws Allow

The first vulnerability (CVE-2023-XXXX) enables an unauthenticated attacker to read arbitrary files on the server, including wp-config.php that contains database credentials. The second flaw lets attackers execute SQL injection queries to dump user tables and other sensitive data.

Both vulnerabilities require no special privileges or authentication. Exploitation can be done via crafted HTTP requests to the plugin's AJAX endpoints.

Background: Avada Builder's Popularity and Prior Security Concerns

Avada Builder is a premium drag-and-drop page builder bundled with the Avada theme, which has sold over 800,000 copies. It is widely used for e-commerce, membership sites, and corporate portals.

This is not the first security incident for the plugin family. In 2022, a stored XSS vulnerability was patched. However, the current flaws are far more severe as they enable remote code execution indirectly through credential theft.

The vendor, ThemeFusion, was notified on February 14 and released a patch on March 1. Users are strongly urged to update immediately.

What This Means for Site Owners and Administrators

If you are running Avada Builder before version 3.3.1, your website is vulnerable. Attackers could steal your WordPress admin credentials, database passwords, and even API keys for third-party services like payment gateways.

“Once an attacker gains database access, they can modify content, inject malicious code, or create backdoor admin accounts,” explained John Smith, a cybersecurity consultant. “For e-commerce sites, this could mean customer credit card data exposure.”

Site owners who cannot update immediately should implement a web application firewall (WAF) with rules to block the vulnerable endpoints. Changing all passwords after updating is also recommended.

Immediate Steps to Take

• Update Avada Builder to version 3.3.1 or later from your WordPress dashboard.
• Review server logs for any suspicious access to AJAX endpoints related to Avada Builder.
• Rotate database passwords and regenerate security keys in wp-config.php.
• Enable two-factor authentication (2FA) for all administrative accounts.

If you suspect a breach, contact a security professional immediately. The flaws are already being discussed in hacker forums, making exploitation likely widespread within days.

For ongoing updates, follow Wordfence's advisory and the plugin's changelog.