WordPress - Server Side Request Forgery (CVE-2022-1386)
- CVSSv3 Score
- Vulnerability description
WordPress is vulnerable to CVE-2022-1386, a Server Side Request Forgery vulnerability. The Fusion Builder WordPress plugin prior to 3.6.2, used in the Avada theme, does not validate a parameter in its forms that could be used to initiate arbitrary HTTP requests. The attacker can interact with hosts on the server's local network by bypassing firewalls and access control measures.
- Risk description
The risk exists that a remote unauthenticated attacker can perform unauthorized actions or access data within the server and induce the server-side application to make requests to an unintended location.
- Exploit capabilities
Sniper can extract custom artefacts as evidence from the target system by sending requests to internal services.
Upgrade the WordPress to the latest version.
- Not available