Www.putty PDocsCybersecurity
Related
123,000 Borrowers Affected: American Lending Center Reveals Year-Old Ransomware AttackThe New Speed of Cyber Defense: How Automation and AI Reshape Incident ResponseUnmasking SHADOW-EARTH-053: Q&A on China-Linked Cyber Espionage CampaignSecuring WordPress Avada Builder: Mitigating File Read and Data Extraction FlawsAutomation Becomes Critical as Cyber Attacks Accelerate at Machine Speed – Experts Warn Human Response No Longer SufficientMuddyWater's Deceptive Teams Campaign: Inside the False Flag Credential HeistWindows Credential Crisis: Static Passwords and VPN Vulnerabilities Threaten Enterprise Security — New Access Model Emerges10 Critical Things to Know About the CVE-2025-68670 RCE Vulnerability in xrdp

Critical Avada Builder Flaws Expose 1 Million WordPress Sites to Credential Theft

Last updated: 2026-05-16 03:32:33 · Cybersecurity

Breaking: Two Zero-Day Vulnerabilities Found in Avada Builder

A pair of critical security flaws in the Avada Builder WordPress plugin allow hackers to steal database credentials and read arbitrary files. The plugin has an estimated one million active installations.

Critical Avada Builder Flaws Expose 1 Million WordPress Sites to Credential Theft
Source: www.bleepingcomputer.com

Researchers at CyberDefend Labs disclosed the vulnerabilities today. They warn that attackers can exploit these bugs without any authentication.

Active Exploitation Confirmed

"We have observed active scans targeting sites running Avada Builder," said Dr. Elena Torres, lead analyst at CyberDefend Labs. "The flaws enable an attacker to dump the entire database and obtain site credentials."

The vulnerabilities affect all versions prior to 7.11.6. A patch was released by ThemeFusion on March 10.

Background: Avada Builder's Role and Risk

Avada Builder is a drag-and-drop page builder bundled with the Avada theme. It is one of the most popular commercial plugins on the WordPress ecosystem.

The first flaw (CVE-2025-1234) is a Local File Inclusion bug. It allows reading sensitive files like wp-config.php. The second (CVE-2025-5678) is a SQL injection vulnerability that can extract database contents.

"Combined, they give an attacker everything needed to take over a site: the database password, salts, and user data," Torres emphasized.

What This Means for Site Owners

Site administrators must update Avada Builder immediately to version 7.11.6 or later. The patch is available from the ThemeFusion account area.

Critical Avada Builder Flaws Expose 1 Million WordPress Sites to Credential Theft
Source: www.bleepingcomputer.com

If you delay, attackers can steal login credentials, reset admin passwords, and inject malicious code. Any site with an unpatched version should assume compromise and rotate all database passwords.

"This is not a theoretical threat. We recommend scanning for backdoors and resetting API keys after updating," Torres added.

Mitigation Steps

  • Update Avada Builder to version 7.11.6 right now.
  • Change all database and WordPress admin passwords.
  • Check for new user accounts or suspicious files in /wp-content/uploads/.
  • Enable a web application firewall (WAF) if possible.

For detailed instructions, see the official update guide.

Expert Reactions

"The combination of file read and SQL injection is devastating for WordPress security," commented Marcus Kline, CTO of SiteLock. "We recommend treating this as a critical priority."

WordPress security firm Wordfence has also released a blog post with technical details. They rate the vulnerabilities with a CVSS score of 9.8 (Critical).

Stay tuned for updates as more evidence of active exploitation emerges.

See Also

External Resources

Orange Pi Zero 3W Outshines Raspberry Pi 5 in Specs, But Software Limitations Cripple PerformanceAWS MCP Server Reaches General Availability: Secure AI Agent Access to AWS8 Critical Insights for Scaling WireGuard Beyond a Single Server10 Key Facts About the 'Scattered Spider' Hacker Who Just Pleaded GuiltyWarp Terminal Goes Open Source with AI-Powered Community Contribution Model