Wordfence disclosed two flaws in Avada Builder, a WordPress plugin with around 1 million active installs CVE‑2026‑4782 (Arbitrary File Read, medium severity) requires subscriber‑level access; CVE‑2026 ...