CVE-2022-1386: 
WordPress vulnerability analysis and mitigation

CVE-2022-1386 affects the Fusion Builder WordPress plugin before version 3.6.2, which is used in the Avada theme. The vulnerability was discovered and publicly disclosed on April 19, 2022. The issue affects the plugin's form functionality and was assigned a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD).

The vulnerability is classified as a Server-Side Request Forgery (SSRF) issue (CWE-918). The flaw exists because the plugin does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. An attacker can control both the URL (fusionAction parameter) and method (fusionActionMethod parameter) of the HTTP request, with the data returned being reflected back in the application's response (WPScan).

This vulnerability could allow attackers to interact with hosts on the server's local network, bypassing firewalls and access control measures. The impact includes the ability to scan and attack internal systems, enumerate and attack services running on internal hosts, and potentially exploit host-based authentication services (RootShell Security).

The vulnerability has been patched in Fusion Builder version 3.6.2 and Avada theme version 7.6.2. Users are strongly advised to update to these or later versions to protect against this vulnerability (Theme Fusion).