Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)
In Avada theme, fusion-builder plugin is required for operation and allows contributor users to add forms. It is found that contributor users can view form submissions for forms that are created by other users or admin users by visiting /wp-admin/admin.php?page=avada-forms.
Less privileged users should not be allowed to view submissions of forms created by other users or admin users.