WordPress - Server Side Request Forgery (CVE-2022-1386)

WordPress is vulnerable to CVE-2022-1386, a Server Side Request Forgery vulnerability. The Fusion Builder WordPress plugin prior to 3.6.2, used in the Avada theme, does not validate a parameter in its forms that could be used to initiate arbitrary HTTP requests. The attacker can interact with hosts on the server's local network by bypassing firewalls and access control measures.

Sniper can extract custom artefacts as evidence from the target system by sending requests to internal services.

The risk exists that a remote unauthenticated attacker can perform unauthorized actions or access data within the server and induce the server-side application to make requests to an unintended location.

Upgrade the WordPress to the latest version.

https://nvd.nist.gov/vuln/detail/CVE-2022-1386

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1386