CVE-2022-1386 (GCVE-0-2022-1386)

Vulnerability from cvelistv5 – Published: 2022-05-16 14:30 – Updated: 2024-08-03 00:03
VLAI Shadowserver KEVIntel
Title
Fusion Builder < 3.6.2 - Unauthenticated SSRF
Summary
The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.
Severity
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
Vendor Product Version
Unknown Fusion Builder Affected: 3.6.2 , < 3.6.2 (custom)
Create a notification for this product.
Credits
Calum Elrick
Shadowserver
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: e2bb6d20-825b-4367-9db3-c6c3ec81e14b

Vulnerability ID: CVE-2022-1386

Status: Confirmed

Status Updated: 2026-06-26 00:00 UTC

Exploited: Yes

Characteristics
Severity: 98.0
Timestamps
First Seen: 2023-10-15
Asserted: 2023-10-15
Last Seen: 2026-06-26
Scope
Asset Exposure: ['internet-facing']
Notes: Affected: Wordpress / WordPress Fusion Builder plugin | Class: cms | Severity: Critical (CVSS 9.8) | IoT: no | In CISA KEV: no | Honeypot connections on 2026-06-26: 10
Evidence

Type: Honeypot

Signal: In The Wild Attempts

Confidence: 70%

Source: shadowserver

Details
1D 1
Iot no
Feed Shadowserver Foundation honeypot/exploited-vulnerabilities
Type http-scan
Class cms
7D Avg 17
Vendor Wordpress
30D Avg 11
90D Avg 4
Product WordPress Fusion Builder plugin
Cisa Kev no
Connections 10
Observation Date 2026-06-26
Vulnerability Class CVSS
Vulnerability Score 9.8
Vulnerability Severity Critical
References
Created: 2026-06-30 09:22 UTC | Updated: 2026-06-30 15:51 UTC
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: 20014f1e-8696-4dfe-b845-f900cd39188a

Vulnerability ID: CVE-2022-1386

Status: Confirmed

Status Updated: 2026-01-30 00:00 UTC

Exploited: Yes

Timestamps
First Seen: 2026-01-30
Asserted: 2026-01-30
Scope
Notes: KEVIntel entry: Fusion Builder < 3.6.2 - Unauthenticated SSRF | Affected: Unknown / Fusion Builder | CVSS: 9.8 (CRITICAL) | Used in malware: unknown | Not yet in CISA KEV: True
Evidence

Type: Public Report

Signal: Successful Exploitation

Confidence: 70%

Source: kevintel

Details
Feed KEVIntel (kevintel.com)
Title Fusion Builder < 3.6.2 - Unauthenticated SSRF
Vendor Unknown
Product Fusion Builder
Added Date 2026-01-30T00:00:00.000Z
Cvss Score 9.8
Epss Score None
Cvss Severity CRITICAL
Epss Percentile None
Used In Malware unknown
Ahead Of Cisa Kev None
Not Yet In Cisa Kev True
References
Created: 2026-06-23 14:03 UTC | Updated: 2026-06-23 14:03 UTC
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:03:05.951Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://theme-fusion.com/version-7-6-2-security-update/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Fusion Builder",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "3.6.2",
              "status": "affected",
              "version": "3.6.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Calum Elrick"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application\u0027s response. This could be used to interact with hosts on the server\u0027s local network bypassing firewalls and access control measures."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-16T14:30:50.000Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://theme-fusion.com/version-7-6-2-security-update/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Fusion Builder \u003c 3.6.2 - Unauthenticated SSRF",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2022-1386",
          "STATE": "PUBLIC",
          "TITLE": "Fusion Builder \u003c 3.6.2 - Unauthenticated SSRF"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Fusion Builder",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "3.6.2",
                            "version_value": "3.6.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Calum Elrick"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application\u0027s response. This could be used to interact with hosts on the server\u0027s local network bypassing firewalls and access control measures."
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-918 Server-Side Request Forgery (SSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b"
            },
            {
              "name": "https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/",
              "refsource": "MISC",
              "url": "https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/"
            },
            {
              "name": "https://theme-fusion.com/version-7-6-2-security-update/",
              "refsource": "MISC",
              "url": "https://theme-fusion.com/version-7-6-2-security-update/"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2022-1386",
    "datePublished": "2022-05-16T14:30:50.000Z",
    "dateReserved": "2022-04-18T00:00:00.000Z",
    "dateUpdated": "2024-08-03T00:03:05.951Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-1386",
      "date": "2026-06-30",
      "epss": "0.71722",
      "percentile": "0.99344"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fusion_builder_project:fusion_builder:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"3.6.2\", \"matchCriteriaId\": \"B0114474-BD17-4989-B5E2-C71C0C21A360\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:theme-fusion:avada:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"7.6.2\", \"matchCriteriaId\": \"16A123A5-181B-4970-836A-D38BADBFD4F7\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application\u0027s response. This could be used to interact with hosts on the server\u0027s local network bypassing firewalls and access control measures.\"}, {\"lang\": \"es\", \"value\": \"El plugin Fusion Builder de WordPress versiones anteriores a 3.6.2, usado en el tema Avada, no comprueba un par\\u00e1metro en sus formularios que podr\\u00eda ser usado para iniciar peticiones HTTP arbitrarias. Los datos devueltos son reflejados en la respuesta de la aplicaci\\u00f3n. Esto podr\\u00eda ser usado para interactuar con hosts en la red local del servidor omitiendo los firewalls y las medidas de control de acceso\"}]",
      "id": "CVE-2022-1386",
      "lastModified": "2024-11-21T06:40:37.527",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-05-16T15:15:09.310",
      "references": "[{\"url\": \"https://theme-fusion.com/version-7-6-2-security-update/\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Patch\", \"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://theme-fusion.com/version-7-6-2-security-update/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "contact@wpscan.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"contact@wpscan.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-1386\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2022-05-16T15:15:09.310\",\"lastModified\":\"2026-06-17T04:22:20.487\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application\u0027s response. This could be used to interact with hosts on the server\u0027s local network bypassing firewalls and access control measures.\"},{\"lang\":\"es\",\"value\":\"El plugin Fusion Builder de WordPress versiones anteriores a 3.6.2, usado en el tema Avada, no comprueba un par\u00e1metro en sus formularios que podr\u00eda ser usado para iniciar peticiones HTTP arbitrarias. Los datos devueltos son reflejados en la respuesta de la aplicaci\u00f3n. Esto podr\u00eda ser usado para interactuar con hosts en la red local del servidor omitiendo los firewalls y las medidas de control de acceso\"}],\"affected\":[{\"source\":\"contact@wpscan.com\",\"affectedData\":[{\"vendor\":\"Unknown\",\"product\":\"Fusion Builder\",\"versions\":[{\"version\":\"3.6.2\",\"lessThan\":\"3.6.2\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"contact@wpscan.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fusion_builder_project:fusion_builder:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"3.6.2\",\"matchCriteriaId\":\"B0114474-BD17-4989-B5E2-C71C0C21A360\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:theme-fusion:avada:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"7.6.2\",\"matchCriteriaId\":\"16A123A5-181B-4970-836A-D38BADBFD4F7\"}]}]}],\"references\":[{\"url\":\"https://theme-fusion.com/version-7-6-2-security-update/\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Patch\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://theme-fusion.com/version-7-6-2-security-update/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.