← Retour aux CVEs

CVE-2022-1386

CRITICAL

9.8

Description

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie5/16/2022

Derniere modification11/21/2024

Sourcenvd

Observations honeypot0

Produits affectes

fusion_builder_project:fusion_buildertheme-fusion:avada

Faiblesses (CWE)

CWE-918

References

https://theme-fusion.com/version-7-6-2-security-update/(contact@wpscan.com)

https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b(contact@wpscan.com)

https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/(contact@wpscan.com)

https://theme-fusion.com/version-7-6-2-security-update/(af854a3a-2127-422b-91ae-364da2661108)

https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b(af854a3a-2127-422b-91ae-364da2661108)

https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.