HomePentest-Tools.com Logo

WordPress - Server Side Request Forgery (CVE-2022-1386)

Severity
CVSSv3 Score
9.8
Vulnerability description

WordPress is vulnerable to CVE-2022-1386, a Server Side Request Forgery vulnerability. The Fusion Builder WordPress plugin prior to 3.6.2, used in the Avada theme, does not validate a parameter in its forms that could be used to initiate arbitrary HTTP requests. The attacker can interact with hosts on the server's local network by bypassing firewalls and access control measures.

Risk description

The risk exists that a remote unauthenticated attacker can perform unauthorized actions or access data within the server and induce the server-side application to make requests to an unintended location.

Exploit capabilities

Sniper can extract custom artefacts as evidence from the target system by sending requests to internal services.

Recommendation

Upgrade the WordPress to the latest version.

Codename
Not available
Detectable with
Network Scanner
Exploitable with Sniper
Yes
Vuln date
Sep 2018
Published at
Updated at
Software Type
Content Management System
Vendor
WordPress Foundation
Product
WordPress