https://www.365i.co.uk/news/2026/05/15/avada-builder-sql-injection-cve-2026-4798/ 365i en-GB 2026-05-15T08:55:00+01:00 Avada Builder Just Patched a 1M-Site SQL Injection. The WooCommerce Deactivated Trap Is the Buried Lead. https://www.365i.co.uk/images/posts/2026/05/avada-builder-sql-injection-cve-2026-4798-16x9.webp Avada Builder Just Patched a 1M-Site SQL Injection. The WooCommerce Deactivated Trap Is the Buried Lead. Wordfence disclosed CVE-2026-4798 in Avada Builder this week, affecting over 1,050,000 WordPress installations. The headline is patch to 3.15.3. The buried lead almost nobody covered is the WooCommerce-installed-then-deactivated precondition that turns the SQL injection from a "1M sites at risk" panic into a much narrower exploit window. We have held Avada licences for years and patched our portfolio first. Here is what actually matters.