cbcvebase.
CVE-2022-1386
published 2022-05-16

CVE-2022-1386: The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
71.72%
99.3th percentile
The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.

Affected

2 ranges
VendorProductVersion rangeFixed in
fusion_builder_projectfusion_builder< 3.6.23.6.2
theme-fusionavada< 7.6.27.6.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=fusion_form_update_view
commandaction=fusion_form_submit_form_to_url
otherfusionAction=<SSRF_TARGET_URL>
otherfusionActionMethod=GET
  • Detect SSRF exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the action parameter set to 'fusion_form_submit_form_to_url', particularly inspecting the 'fusionAction' field for arbitrary/internal URLs.
  • The two-stage exploit first calls 'fusion_form_update_view' to retrieve a nonce, then uses that nonce in a multipart POST to 'fusion_form_submit_form_to_url' with an attacker-controlled 'fusionAction' URL — look for this two-request sequence in web logs.
  • Response body matching 'Interactsh Server' (or equivalent OOB callback content) in the HTTP response to the second POST indicates successful SSRF exploitation.
  • The vulnerable parameter is 'fusionAction' in the multipart form body; any value pointing to internal RFC-1918 addresses or localhost should be treated as an active exploitation attempt.
  • No authentication is required (PR:N, UI:N per CVSS); any unauthenticated POST to admin-ajax.php with these action values should be alerted on.
  • ·The exploit requires a valid 'fusion-form-nonce-0' / 'fusion_form_nonce' value extracted from the first request; the nonce is dynamic and must be harvested per-session via the 'fusion_form_update_view' action before the SSRF payload can be submitted.
  • ·The vulnerability affects Fusion Builder WordPress plugin versions before 3.6.2 (used in the Avada theme); installations already updated to 3.6.2 or later are not affected.
  • ·The SSRF response is reflected directly in the application's HTTP response body, making this a synchronous (in-band) SSRF — detection can be performed by inspecting response content as well as outbound network connections.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.