SeedProd Website Builder Unauthorized Data Access Vulnerability

A vulnerability exists in the Website Builder by SeedProd plugin for WordPress, specifically in the Theme Builder, Landing Page Builder, Coming Soon Page, and Maintenance Mode components. All versions through 6.18.15 are affected. The issue arises from a missing capability check in the 'seedprod_lite_get_revisisons' function, allowing authenticated attackers with Subscriber-level access and above to access and read the content of arbitrary landing page revisions. This unauthorized access could lead to exposure of sensitive information.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive data, specifically the content of landing page revisions, which could include private or confidential information.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'seedprod_lite_get_revisisons' function without the necessary capability check. This can be done by using a WordPress account with the appropriate permissions to access the Website Builder by SeedProd plugin.

Remediation

Users are advised to update the Website Builder by SeedProd plugin to version 6.18.16 or later, where this vulnerability has been patched.