The Avada (Fusion) Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.11.12 via the handle_clone_post() function and the 'fusion_blog' shortcode and due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
Metrics
Affected Vendors & Products
References
History
Thu, 26 Dec 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 25 Dec 2024 06:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.11.12 via the handle_clone_post() function and the 'fusion_blog' shortcode and due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | |
Title | Avada Builder <= 3.11.12 - Authenticated (Contributor+) Protected Post Disclosure | |
Weaknesses | CWE-639 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-12-25T06:42:13.625Z
Updated: 2024-12-26T19:56:06.643Z
Reserved: 2024-12-06T22:55:50.294Z
Link: CVE-2024-12335
Vulnrichment
Updated: 2024-12-26T19:56:00.512Z
NVD
Status : Received
Published: 2024-12-25T07:15:11.980
Modified: 2024-12-25T07:15:11.980
Link: CVE-2024-12335
Redhat
No data.