Beaver Builder Plugin [Authenticated Post Content Copy]


Plugin doesn’t implement security controls when performing specific AJAX actions. Those actions include:

  • fl_builder_export_templates_data
  • fl_builder_disable
  • fl_builder_duplicate_wpml_layout

This could allow an authenticated user to exploit these hooks in order to perform actions that he may not have the right to do so.

Anti-CSRF (nonces) are also missing in callback functions, making those actions prone to CSRF attacks.

From the specified set of actions, maybe the most destructive one is the fl_builder_duplicate_wpml_layout which allows a user to duplicate the contents of a post, if plugin frontend editor is available for this post. This can be used as a leverage from an attacker to totally nuke a website by duplicating post contents. It also can be used as a leverage from a user without publish_posts to publish specific content by copying to already published posts.


  1. Create a post using plugin editor (needs edit_posts capability)
  2. Perform a request to copy contents from this post (original_post_id) to another already published post (post_id), like ``` POST /wp-admin/admin-ajax.php?action=fl_builder_duplicate_wpml_layout HTTP/1.1 Host: [host] Cookie: [cookies]

original_post_id=2&post_id=1 ```