The plugin does not have authorisation and CSRF checks in the fl_builder_disable AJAX action, which could allow any authenticated users, such as subscriber to disable the builder layout of arbitrary posts Note: The original advisory mentions the issue has been fixed, however only a CSRF check has been added, proper authorisation is still missing.
CPE | Name | Operator | Version |
---|---|---|---|
beaver-builder-lite-version | lt | 2.5.4.4 |