Vulnerability Description
The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fusion Builder Project | Fusion Builder | < 3.6.2 |
| Theme-Fusion | Avada | < 7.6.2 |
Related Weaknesses (CWE)
References
- https://theme-fusion.com/version-7-6-2-security-update/PatchRelease NotesThird Party Advisory
- https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536bExploitThird Party Advisory
- https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-PatchThird Party Advisory
- https://theme-fusion.com/version-7-6-2-security-update/PatchRelease NotesThird Party Advisory
- https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536bExploitThird Party Advisory
- https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-PatchThird Party Advisory
FAQ
What is CVE-2022-1386?
CVE-2022-1386 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then...
How severe is CVE-2022-1386?
CVE-2022-1386 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-1386?
Check the references section above for vendor advisories and patch information. Affected products include: Fusion Builder Project Fusion Builder, Theme-Fusion Avada.