[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faVssbjJrPixjTyhK3TQ7dONazvLj6r-y9M0_IL5p07k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"source_links":33},"CVE-2026-1541","avada-fusion-builder-authenticated-subscriber-sensitive-information-exposure-via-insecure-direct-object-reference","Avada (Fusion) Builder \u003C= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference","The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's `fusion_get_post_custom_field()` function failing to validate whether metadata keys are protected (underscore-prefixed). This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract protected post metadata fields that should not be publicly accessible via the Dynamic Data feature's `post_custom_field` parameter.","fusion-builder",null,"\u003C=3.15.1","3.15.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-04-14 12:23:58","2026-04-15 01:25:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff1f69f93-80e3-434d-98a6-fc8757b4e6d1?source=api-prod",1,[],"researched",false,3,"This research plan focuses on exploiting CVE-2026-1541, an Insecure Direct Object Reference (IDOR) in Avada's Fusion Builder plugin that allows Subscriber-level users to retrieve protected metadata.\n\n### 1. Vulnerability Summary\nThe `fusion-builder` plugin contains a function `fusion_get_post_custom_field()` (likely located in `inc\u002Fclass-fusion-dynamic-data.php` or similar dynamic data handling classes) used to retrieve metadata for the \"Dynamic Data\" feature. The function fails to sanitize or validate the requested metadata key. In WordPress, keys prefixed with an underscore (`_`) are considered protected\u002Fhidden. By failing to block these keys, the plugin allows users with minimal permissions (Subscriber) to query sensitive internal metadata of any post or page.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n* **Action:** Likely `fusion_app_get_dynamic_data` or `fusion_get_dynamic_data` (inferred from Avada's AJAX naming convention for the dynamic data builder interface).\n* **Parameter:** `post_custom_field` or `key` within the AJAX `data` payload.\n* **Authentication:** Required (Subscriber+).\n* **Precondition:** The attacker must know (or guess) the ID of a target post and the name of a protected metadata key.\n\n### 3. Code Flow (Inferred)\n1. **Entry Point:** An authenticated user sends a POST request to `admin-ajax.php` with an action related to fetching dynamic data (e.g., `action=fusion_app_get_dynamic_data`).\n2. **Handler:** The AJAX handler (e.g., `Fusion_App::get_dynamic_data()`) receives parameters specifying the data source (`post_custom_field`) and the target key.\n3. **Vulnerable Call:** The handler calls `fusion_get_post_custom_field( $post_id, $key )`.\n4. **Data Retrieval:** `fusion_get_post_custom_field()` calls `get_post_meta( $post_id, $key, true )`.\n5. **Lack of Check:** The function returns the value directly without checking `is_protected_meta( $key )` or verifying if the key starts with an underscore.\n6. **Response:** The protected value is returned in the JSON response to the Subscriber.\n\n### 4. Nonce Acquisition Strategy\nAvada Builder heavily utilizes nonces for its AJAX operations. For Subscriber-level access, we need to find where the builder nonces are exposed.\n\n1. **Identify Shortcode:** Avada often enqueues builder scripts when the `[fusion_text]` or other builder-related shortcodes are present.\n2. **Creation:** Create a simple page as admin containing a builder shortcode:\n `wp post create --post_type=page --post_status=publish --post_title=\"Nonce Page\" --post_content='[fusion_text]Check[\u002Ffusion_text]'`\n3. **Extraction:**\n * Log in as the **Subscriber** user in the browser.\n * Navigate to the \"Nonce Page\".\n * Use `browser_eval` to search for the localized data object. Common Avada objects include `fusionAppConfig`, `fusionBuilderConfig`, or `fusionAllData`.\n * **Target Key:** `window.fusionAppConfig?.fusion_load_nonce` or `window.fusionBuilderConfig?.nonce`.\n * *Verification:* Check the source for `wp_localize_script` calls involving `fusion-builder`.\n\n### 5. Exploitation Strategy\n**Goal:** Retrieve the value of a hidden meta key (e.g., `_wp_page_template` or a custom secret key `_access_token`) from an administrative post (ID 1).\n\n**Step-by-step:**\n1. **Setup Target:** Use WP-CLI to add a \"secret\" hidden meta key to an existing post.\n2. **Obtain Nonce:** Follow the strategy in Section 4.\n3. **Identify Action:** Confirm the exact AJAX action by grepping for `wp_ajax_fusion_.*get_dynamic_data` in the plugin folder.\n4. **Execute Request:**\n * **Method:** POST\n * **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n * **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`, `Cookie: [Subscriber Cookies]`\n * **Payload (Probable):**\n ```text\n action=fusion_app_get_dynamic_data&\n fusion_load_nonce=[NONCE]&\n data={\"type\":\"post_custom_field\",\"post_id\":\"1\",\"field\":\"_access_token\"}\n ```\n * *Note:* The `data` parameter might be a nested JSON string or individual POST keys depending on the specific Avada version's implementation.\n\n### 6. Test Data Setup\n1. **Create Subscriber:**\n `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n2. **Create Sensitive Meta:**\n `wp post meta add 1 _secret_system_key \"SUPER_SECRET_VALUE_12345\"`\n3. **Verify Meta Existence:**\n `wp post meta get 1 _secret_system_key` (Should return the value for admin).\n\n### 7. Expected Results\n* **Vulnerable Version:** The HTTP response (JSON) will contain the value `\"SUPER_SECRET_VALUE_12345\"` under a key like `value` or `result`.\n* **Patched Version:** The response will likely be empty, an error message indicating an invalid field, or a 403\u002F400 status code if the key is now validated.\n\n### 8. Verification Steps\n1. Observe the JSON response from the `http_request`.\n2. Confirm the revealed value matches the value set via WP-CLI in the setup phase.\n3. `wp eval 'echo get_post_meta(1, \"_secret_system_key\", true);'` (To confirm what the actual value is for comparison).\n\n### 9. Alternative Approaches\nIf `fusion_app_get_dynamic_data` is not the correct action:\n1. **Grep for Sink:** Search the plugin for calls to `fusion_get_post_custom_field` to find other callers.\n `grep -r \"fusion_get_post_custom_field\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Ffusion-builder\u002F`\n2. **Builder Elements:** Attempt to \"preview\" a builder element as a subscriber if the builder interface is partially accessible. Subscriber users can sometimes trigger element rendering via `action=fusion_render_element` or `action=fusion_get_shortcode_render`. If an element is configured to use dynamic data for a field (e.g., a text block showing a custom field), the rendering process will call the vulnerable function.\n3. **Direct Payload Guessing:** If the `data` parameter structure is different, try:\n `action=fusion_get_dynamic_data¶m=post_custom_field&key=_secret_system_key&post_id=1`","The Avada (Fusion) Builder plugin allows authenticated users (Subscriber+) to retrieve protected post metadata by exploiting an Insecure Direct Object Reference (IDOR) in the Dynamic Data feature. The vulnerability exists because the function responsible for fetching custom field values fails to verify if a requested metadata key is protected (prefixed with an underscore), allowing access to sensitive internal system keys.","\u002F\u002F fusion-builder\u002Finc\u002Fclass-fusion-dynamic-data.php (approximate location)\n\nfunction fusion_get_post_custom_field( $post_id, $key ) {\n \u002F\u002F Vulnerable: Directly returns metadata without checking if the key is protected\n return get_post_meta( $post_id, $key, true );\n}","--- a\u002Ffusion-builder\u002Finc\u002Fclass-fusion-dynamic-data.php\n+++ b\u002Ffusion-builder\u002Finc\u002Fclass-fusion-dynamic-data.php\n@@ -124,5 +124,9 @@\n function fusion_get_post_custom_field( $post_id, $key ) {\n+\tif ( is_protected_meta( $key ) ) {\n+\t\treturn '';\n+\t}\n \treturn get_post_meta( $post_id, $key, true );\n }","The exploit involves an authenticated attacker with at least Subscriber-level privileges leveraging the Avada Dynamic Data AJAX endpoint. \n\n1. Authentication: Log in as a Subscriber-level user.\n2. Nonce Acquisition: Retrieve a valid AJAX nonce (e.g., fusion_load_nonce) from the localized script data (fusionAppConfig) on any page where the Fusion Builder assets are enqueued.\n3. Endpoint Target: Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php.\n4. Payload: Set the 'action' parameter to 'fusion_app_get_dynamic_data' (or equivalent builder data retrieval action) and include a 'data' payload. The payload should specify the 'type' as 'post_custom_field', the target 'post_id', and the sensitive metadata 'field' name (e.g., '_wp_page_template' or other internal keys starting with an underscore).\n5. Execution: The server, lacking a check for protected metadata, returns the value of the requested hidden meta key in the JSON response.","gemini-3-flash-preview","2026-04-16 15:47:23","2026-04-16 15:47:46",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffusion-builder\u002Ftags"]