Avada Builder <= 3.11.12 - Authenticated (Contributor+) Protected Post Disclosure
Description
Avada Builder plugin <=3.11.12 exposes private, draft, and password-protected posts to authenticated contributors via handle_clone_post() and fusion_blog shortcode.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Avada Builder plugin <=3.11.12 exposes private, draft, and password-protected posts to authenticated contributors via handle_clone_post() and fusion_blog shortcode.
Vulnerability
The Avada (Fusion) Builder plugin for WordPress versions up to and including 3.11.12 suffers from an information exposure vulnerability. The handle_clone_post() function and the fusion_blog shortcode lack sufficient restrictions on which posts can be included, allowing exposure of password-protected, private, or draft posts that should be restricted.
Exploitation
An authenticated attacker with contributor-level access or above can exploit this by crafting requests to the handle_clone_post() function or using the fusion_blog shortcode to enumerate and extract content from posts that are not intended to be accessible to them.
Impact
The attacker gains unauthorized read access to password-protected, private, or draft posts, leading to information disclosure of sensitive content that may include unpublished or confidential data.
Mitigation
The vendor (Avada) has not yet released a patch for this vulnerability as of the publication date. Users should monitor the vendor's website [1] for updates and consider restricting contributor-level access or disabling the vulnerable shortcode temporarily. No workaround is currently available.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=3.11.12
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.