WordPress - Server Side Request Forgery (CVE-2022-1386)
- Severity
- CVSSv3 Score
- 9.8
- Vulnerability description
WordPress is vulnerable to CVE-2022-1386, a Server Side Request Forgery vulnerability. The Fusion Builder WordPress plugin prior to 3.6.2, used in the Avada theme, does not validate a parameter in its forms that could be used to initiate arbitrary HTTP requests. The attacker can interact with hosts on the server's local network by bypassing firewalls and access control measures.
- Risk description
The risk exists that a remote unauthenticated attacker can perform unauthorized actions or access data within the server and induce the server-side application to make requests to an unintended location.
- Exploit capabilities
Sniper can extract custom artefacts as evidence from the target system by sending requests to internal services.
- Recommendation
Upgrade the WordPress to the latest version.
- Codename
- Not available
- Detectable with
- Network Scanner
- Exploitable with Sniper
- Yes
- Vuln date
- Sep 2018
- Published at
- Updated at
- Software Type
- Content Management System
- Vendor
- WordPress Foundation
- Product
- WordPress