CVE-2022-1386

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fusion_builder_project:fusion_builder:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:theme-fusion:avada:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 06:40

Type Values Removed Values Added
References () https://theme-fusion.com/version-7-6-2-security-update/ - Patch, Release Notes, Third Party Advisory () https://theme-fusion.com/version-7-6-2-security-update/ - Patch, Release Notes, Third Party Advisory
References () https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b - Exploit, Third Party Advisory () https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b - Exploit, Third Party Advisory
References () https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/ - Patch, Third Party Advisory () https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/ - Patch, Third Party Advisory

14 Mar 2024, 19:58

Type Values Removed Values Added
CPE cpe:2.3:a:fusion_builder_project:fusion_builder:*:*:*:*:*:wordpress:*:*
First Time Fusion Builder Project
Fusion Builder Project fusion Builder

Information

Published : 2022-05-16 15:15

Updated : 2024-11-21 06:40


NVD link : CVE-2022-1386

Mitre link : CVE-2022-1386

CVE.ORG link : CVE-2022-1386


JSON object : View

Products Affected

fusion_builder_project

  • fusion_builder

theme-fusion

  • avada
CWE
CWE-918

Server-Side Request Forgery (SSRF)