vulnerability

WordPress Theme: Avada: CVE-2022-1386: Server-Side Request Forgery (SSRF)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Apr 19, 2022

Added

Dec 8, 2025

Modified

Apr 28, 2026

Description

The Fusion Builder plugin for WordPress, an Avada theme core plugin, is vulnerable to Server-Side Request Forgery in versions up to 3.6.2 along with the Avada theme in versions up to 7.6.2. This is due to insufficient validation in one of its form parameters. This makes it possible for unauthenticated attackers to interact with internal network hosts via specially crafted requests and can lead to sensitive information disclosure on certain configurations such as AWS.

Solution

avada-theme-cve-2022-1386

References

https://www.cve.org/CVERecord?id=CVE-2022-1386
https://www.wordfence.com/threat-intel/vulnerabilities/id/ad3de7e6-a080-4ce8-aa27-21e7f8fdb2c7?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-24703
CVE-2022-1386
https://attackerkb.com/topics/CVE-2022-1386
CWE-918
EUVD-EUVD-2022-24703

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report