| CVE | CVE-2022-1386 |
|---|---|
| CVSS | High (8.3) |
| Publicly Published | April 19, 2022 |
| Last Updated | January 22, 2024 |
| Researcher |
Calum Elrick
|
The Fusion Builder plugin for WordPress, an Avada theme core plugin, is vulnerable to Server-Side Request Forgery in versions up to 3.6.2 along with the Avada theme in versions up to 7.6.2. This is due to insufficient validation in one of its form parameters. This makes it possible for unauthenticated attackers to interact with internal network hosts via specially crafted requests and can lead to sensitive information disclosure on certain configurations such as AWS.
References| Software Type | Plugin |
|---|---|
| Software Slug | fusion-builder (view on wordpress.org) |
| Patched? | Yes |
| Affected Version |
|
| Patched Version |
|
| Software Type | Theme |
| Software Slug | Avada (view on wordpress.org) |
| Patched? | Yes |
| Affected Version |
|
| Patched Version |
|
Copyright 2012-2026 Defiant Inc.
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy.
License Detail.