Avada (Fusion) Page Builder had two vulnerabilities in versions up to 3.15.1. One allows authenticated users to read arbitrary files from the server. The other lets unauthenticated visitors inject SQL queries! Both are now fixed in 3.15.3 (released May 12, 2026), but if you’re running an older version, you should update immediately.
Avada is installed on over 1 million WordPress sites, so this a significant risk for a huge number of sites.
The File Read Vulnerability
The [fusion_section_separator] shortcode accepts a custom_svg parameter that’s supposed to load a custom SVG file. But there’s no validation on the file path. An authenticated user (even a Subscriber) can use path traversal to read any file the web server can access.
Here’s the vulnerable code path snippet:
// shortcodes/fusion-section-separator.php
$custom_svg_data = fusion_get_svg_from_file( $this->args['custom_svg'], [...] );
// inc/helpers.php
function fusion_get_svg_from_file( $url, $args = [] ) {
$svg = fusion_file_get_contents( $url ); // No validation
// ...
}The $url parameter goes straight to fusion_file_get_contents(), which reads it using the WordPress filesystem API. No checks prevent reading wp-config.php, .env files, and other sensitive files.
An attacker with Subscriber access could create a post with [fusion_section_separator divider_type="custom" custom_svg="../../../wp-config.php"] and the file contents would be embedded in the page. Anyone could then view the page source and extract database credentials, security salts, API keys, etc.
The SQL Injection Vulnerability
The [fusion_woo_product_grid] shortcode accepts product_order and product_orderby parameters from the URL query string. These are passed directly to WooCommerce’s database query builder without sanitisation.
// shortcodes/fusion-woo-product-grid.php $defaults['order'] = ( isset( $_GET['product_order'] ) ) ? $_GET['product_order'] : $defaults['order']; // Later, this is used in an ORDER BY clause without parameterised queries $ordering_args = WC()->query->get_catalog_ordering_args( $defaults['orderby'], $defaults['order'] );
The product_order parameter is only passed through sanitize_text_field(), which removes HTML tags but not SQL syntax. WooCommerce constructs the SQL query using string concatenation (not prepared statements), so anyone can inject raw SQL.
An unauthenticated visitor could craft a URL like ?product_order=ASC,(SELECT(SLEEP(5))) to perform a time-based blind SQL injection. By observing response times, they can extract data from the database — user credentials, customer information, payment details.
This even works if WooCommerce is deactivated, because the database tables are still in place.
What to Do
Update immediately. If you’re running Avada (Fusion) Builder, update to version 3.15.3 or later. There’s no workaround; the vulnerabilities require a code fix.
Check your current version in the WordPress admin under Appearance → Themes. If you’re on 3.15.1 or earlier, update now.
If you can’t update immediately, disable the product grid shortcode and restrict who can create posts with custom SVG section separators.