Security Advisory: Update Avada Builder and UpdraftPlus WordPress Plugins Immediately

Update timeline

1. investigating Jun 26, 2026, 05:27 AM UTC

   We are advising all customers using WordPress to verify that the following plugins are updated to the latest available versions. Recently disclosed vulnerabilities affect older versions of these plugins: CVE-2026-6279 – Avada Builder (Fusion Builder) – Unauthenticated Remote Code Execution Affected versions: 3.15.2 and earlier CVE-2026-10795 – UpdraftPlus Backup Plugin – Authentication Bypass Affected versions: 1.26.4 and earlier These vulnerabilities may allow unauthenticated attackers to gain control of vulnerable WordPress sites and compromise WordPress user accounts if the plugins have not been updated to the latest available versions. If your website uses either of these plugins, we strongly recommend that you: Update the affected plugin(s) to the latest available version immediately. Review your WordPress installation for any unexpected administrator accounts, plugins, or modified files. Contact our Support team if you believe your website has been affected or if you need assistance reviewing your installation.