Two vulnerabilities in the Avada Builder plugin (approximately one million active installations) allow credential theft and database extraction: CVE-2026-4782 enables any authenticated subscriber to read wp-config.php and obtain database credentials and encryption keys via path traversal; CVE-2026-4798 allows unauthenticated SQL injection to extract password hashes on sites where WooCommerce was ever installed. Both are patched in version 3.15.3, released May 12, 2026.