The vulnerability in the Avada Builder plugin stems from a lack of verification for metadata keys, specifically those prefixed with an underscore, which are intended to be protected from general view. The function `fusion_get_post_custom_field()` is responsible for managing dynamic data within posts, and its current implementation neglects to restrict access to these protected fields for authenticated users, such as subscribers. The flaw allows such users to potentially retrieve sensitive information, which could lead to privacy breaches or unauthorized information disclosure. This exposure is particularly concerning in a multi-user environment where least privilege principles are expected to be upheld. The potential impacts include unauthorized data access and potential financial or reputational damage if sensitive data leaks are exploited maliciously.

To mitigate this vulnerability, implement checks within the `fusion_get_post_custom_field()` function to ensure metadata keys with underscore prefixes are not accessible. Educate users about access controls and limit user roles to only those necessary for their responsibilities. Regularly review and audit user permissions and plugin configurations to enhance security.