CVE-2022-1386
published 2022-05-16CVE-2022-1386: The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
71.72%
99.3th percentile
The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fusion_builder_project | fusion_builder | < 3.6.2 | 3.6.2 |
| theme-fusion | avada | < 7.6.2 | 7.6.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSRF exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the action parameter set to 'fusion_form_submit_form_to_url', particularly inspecting the 'fusionAction' field for arbitrary/internal URLs. ↗
- →The two-stage exploit first calls 'fusion_form_update_view' to retrieve a nonce, then uses that nonce in a multipart POST to 'fusion_form_submit_form_to_url' with an attacker-controlled 'fusionAction' URL — look for this two-request sequence in web logs. ↗
- →Response body matching 'Interactsh Server' (or equivalent OOB callback content) in the HTTP response to the second POST indicates successful SSRF exploitation. ↗
- →The vulnerable parameter is 'fusionAction' in the multipart form body; any value pointing to internal RFC-1918 addresses or localhost should be treated as an active exploitation attempt. ↗
- →No authentication is required (PR:N, UI:N per CVSS); any unauthenticated POST to admin-ajax.php with these action values should be alerted on. ↗
- ·The exploit requires a valid 'fusion-form-nonce-0' / 'fusion_form_nonce' value extracted from the first request; the nonce is dynamic and must be harvested per-session via the 'fusion_form_update_view' action before the SSRF payload can be submitted. ↗
- ·The vulnerability affects Fusion Builder WordPress plugin versions before 3.6.2 (used in the Avada theme); installations already updated to 3.6.2 or later are not affected. ↗
- ·The SSRF response is reflected directly in the application's HTTP response body, making this a synchronous (in-band) SSRF — detection can be performed by inspecting response content as well as outbound network connections. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4gm2-r6xm-jqxh: The Fusion Builder WordPress plugin before 3
ghsa_unreviewed·2022-05-17
CVE-2022-1386 [CRITICAL] CWE-918 GHSA-4gm2-r6xm-jqxh: The Fusion Builder WordPress plugin before 3
The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.
VulnCheck
fusion_builder_project fusion_builder Server-Side Request Forgery (SSRF)
vulncheck·2022·CVSS 9.8
CVE-2022-1386 [CRITICAL] fusion_builder_project fusion_builder Server-Side Request Forgery (SSRF)
fusion_builder_project fusion_builder Server-Side Request Forgery (SSRF)
The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.
Affected: fusion_builder_project fusion_builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-02&host_type=src&vulnerability=cve-2022-
CISA
Microsoft Windows User Profile Service Privilege Escalation Vulnerability
cisa·2022-04-25·CVSS 7.0
CVE-2022-21919 [HIGH] CWE-1386 Microsoft Windows User Profile Service Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows User Profile Service Privilege Escalation Vulnerability
Affected: Microsoft Windows
Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-21919
Remediation Due Date: 2022-05-16
CISA
Microsoft Windows Installer Privilege Escalation Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2021-41379 [MEDIUM] CWE-1386 Microsoft Windows Installer Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Installer Privilege Escalation Vulnerability
Affected: Microsoft Windows
Microsoft Windows Installer contains an unspecified vulnerability that allows for privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-41379
Remediation Due Date: 2022-03-17
No detection rules found.
Nuclei
WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery
nuclei·CVSS 9.8
CVE-2022-1386 [CRITICAL] WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery
WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery
WordPress Fusion Builder plugin before 3.6.2 is susceptible to server-side request forgery. The plugin does not validate a parameter in its forms, which can be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. An attacker can potentially interact with hosts on the server's local network, bypass firewalls, and access control measures.
Template:
id: CVE-2022-1386
info:
name: WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery
author: akincibor,MantisSTS,calumjelrick
severity: critical
description: |
WordPress Fusion Builder plugin before 3.6.2 is susceptible to server-side request forgery. The plugin does not validate a parameter in its forms, which can
https://theme-fusion.com/version-7-6-2-security-update/https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536bhttps://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/https://theme-fusion.com/version-7-6-2-security-update/https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536bhttps://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/
2022-05-16
Published
Exploited in the wild