Avada <=7.11.4 / Fusion-Builder <= 3.11.4 Improper Access Control

avada_fusion_builder_poc.md

Avada <=7.11.4 / Fusion-Builder <= 3.11.4 Improper Access Control

Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)

Description

In Avada theme, fusion-builder plugin is required for operation and allows contributor users to add forms. It is found that contributor users can view form submissions for forms that are created by other users or admin users by visiting /wp-admin/admin.php?page=avada-forms.

Fix

Less privileged users should not be allowed to view submissions of forms created by other users or admin users.