CVE-2022-1386
Summary
| CVE | CVE-2022-1386 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-05-16 15:15:00 UTC |
| Updated | 2024-03-14 19:58:00 UTC |
| Description | The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures. |
Risk And Classification
Problem Types: CWE-918
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Fusion Builder Project | Fusion Builder | All | All | All | All |
| Application | Theme-fusion | Avada | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Version 7.6.2 Security Update - ThemeFusion | Avada Website Builder | MISC | theme-fusion.com | |
| Rootshell Discovered A Critical Vulnerability In Top WordPress Theme | Rootshell Security | MISC | www.rootshellsecurity.net | |
| Attention Required! | Cloudflare | MISC | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Calum Elrick
There are currently no legacy QID mappings associated with this CVE.