WordPress - Server Side Request Forgery (CVE-2022-1386)
- Severity
- CVSSv3 Score
- 9.8
- Exploitable with Sniper
- Yes
- Vulnerability description
WordPress is vulnerable to CVE-2022-1386, a Server Side Request Forgery vulnerability. The Fusion Builder WordPress plugin prior to 3.6.2, used in the Avada theme, does not validate a parameter in its forms that could be used to initiate arbitrary HTTP requests. The attacker can interact with hosts on the server's local network by bypassing firewalls and access control measures.
- Exploit capabilities
Sniper can extract custom artefacts as evidence from the target system by sending requests to internal services.
- Risk description
The risk exists that a remote unauthenticated attacker can perform unauthorized actions or access data within the server and induce the server-side application to make requests to an unintended location.
- Recommendation
Upgrade the WordPress to the latest version.
- Detectable with
- Network Scanner
- Vuln date
- Sep 2018
- Published at
- Updated at
- Software Type
- Content Management System
- Vendor
- WordPress Foundation
- Product
- WordPress
- Codename
- Not available