Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: burst-statistics (1 article)Clear

Three WordPress plugins under active exploitation: Funnel Builder, Avada Builder, and Burst Statistics (1.2M+ sites at risk)

Three concurrent WordPress plugin issues are putting millions of sites at risk. Funnel Builder, used on 40,000+ WooCommerce sites, is being actively exploited: an unauthenticated attacker hits an unprotected checkout endpoint, modifies global plugin settings, and injects JavaScript skimmers into checkout pages. Avada Builder, with 1 million installs and bundled with the Avada theme, ships fixes in 3.15.3 for CVE-2026-4782 (CVSS 6.5 arbitrary file read by Subscriber-level users, exposes wp-config.php) and CVE-2026-4798 (CVSS 7.5 unauthenticated time-based blind SQL injection when WooCommerce was used then deactivated). Burst Statistics CVE-2026-8181 is an auth bypass already being exploited on 200,000 sites.

Check
Inventory WordPress sites you operate or manage for clients; check installed versions of Funnel Builder, Avada Builder (and the Avada theme), and Burst Statistics; pull web access logs for the affected checkout and Fusion shortcode endpoints.
Affected
WordPress sites running Funnel Builder before the latest patch, Avada Builder up to 3.15.2 (1M sites bundled with the Avada theme), and Burst Statistics 3.4.0 or 3.4.1 (200K sites). WooCommerce checkout integrations face highest impact.
Fix
Update Avada Builder to 3.15.3 (released May 12), update Burst Statistics to the patched release, apply the Funnel Builder fix, then rotate WordPress salts and database passwords on any site that ran a vulnerable Avada Builder version.