Themify Builder <= 7.6.1 - Missing Authorization to Authenticated (Contributor+) Post Duplication

Vulnerability

The Themify Builder plugin for WordPress, in all versions up to and including 7.6.1, contains a missing authorization check in the duplicate_page_ajaxify function. This function, located in class-builder-duplicate-page.php [1], does not verify that the current user has permission to access or duplicate posts created by other users. The lack of capability checks allows authenticated users with Contributor-level access and above to duplicate and subsequently view private or draft posts that belong to other users, bypassing intended access controls.

Exploitation

An authenticated attacker with at least Contributor-level access can exploit this vulnerability by sending a crafted AJAX request to the duplicate_page_ajaxify function. The attacker does not need any special privileges beyond their existing role. By providing the ID of a target post (which may be private or draft), the function duplicates the post and returns a URL to the new copy, allowing the attacker to view the content of posts that should otherwise be inaccessible [1]. No user interaction from the victim is required.

Impact

Successful exploitation results in unauthorized information disclosure. The attacker gains read access to the content of private or draft posts created by other users. This can expose sensitive information, internal communications, or unpublished content. The attacker does not alter the original post but creates a duplicate copy that they can view. The privilege level of the compromise is limited to read access of duplicate posts; however, if the duplicated post’s content is subject to further editing by the attacker, consequences may escalate [1].

Mitigation

The vendor released version 7.6.2 to fix this vulnerability. Users are advised to update to version 7.6.2 or later immediately. As of the disclosure date, version 7.7.3 is available [2]. No workaround is necessary for sites running a patched version. Users on unsupported or EOL versions should upgrade to a supported release. This CVE is not currently listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.