CVE-2022-1386
Description
The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.
NVD
Severity: CRITICAL
CVE ID: CVE-2022-1386
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Proof Of Concept
Nuclei Templates for CVE-2022-1386
Refrence: Project Discovery GitHub
ardzz
Refrence: GitHub
im-hanzou
Automatic Mass Tool for checking vulnerability in CVE-2022-1386 - Fusion Builder < 3.6.2 - Unauthenticated SSRF
Refrence: GitHub
zycoder0day
Refrence: GitHub
imhunterand
Refrence: GitHub
satyasai1460
Refrence: GitHub