CVE-2022-1386

CRITICAL EXPLOITED NUCLEI

Fusion Builder < 3.6.2 - Server-Side Request Forgery via Unvalidated Form Parameter

Title source: llm

Exploitation Summary

CVE-2022-1386 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 7 public exploits from researchers including ardzz, im-hanzou, zycoder0day. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional proof-of-concept exploit for CVE-2022-1386, an unauthenticated SSRF vulnerability in Fusion Builder WordPress plugin versions prior to 3.6.2. The script automates the exploitation process by generating a fusion ID, crafting a malicious request, and sending it to the target to read arbitrary files or make internal HTTP requests.

Description

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.

Exploits (7)

nomisec WORKING POC 9 stars

by ardzz · infoleak

https://github.com/ardzz/CVE-2022-1386

View Code ZIP pw:eip

This is a functional proof-of-concept exploit for CVE-2022-1386, an unauthenticated SSRF vulnerability in Fusion Builder WordPress plugin versions prior to 3.6.2. The script automates the exploitation process by generating a fusion ID, crafting a malicious request, and sending it to the target to read arbitrary files or make internal HTTP requests.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Fusion Builder WordPress plugin < 3.6.2

No auth needed

Prerequisites: Target must have Fusion Builder plugin < 3.6.2 installed · Target must be accessible via HTTP/HTTPS

MITRE ATT&CK

T1083 - File and Directory Discovery T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by im-hanzou · remote

https://github.com/im-hanzou/fubucker

View Code ZIP pw:eip

This repository contains a working PoC for CVE-2022-1386, an unauthenticated SSRF vulnerability in Fusion Builder < 3.6.2. It includes a mass vulnerability checker using GNU Parallel and a single-target exploiter script.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Fusion Builder < 3.6.2

No auth needed

Prerequisites: GNU Parallel · jq · curl · target list or single target URL

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 1 stars

by zycoder0day · infoleak

https://github.com/zycoder0day/CVE-2022-1386-Mass_Vulnerability

View Code ZIP pw:eip

This script is a mass vulnerability checker for CVE-2022-1386, an unauthenticated SSRF vulnerability in Fusion Builder < 3.6.2. It uses GNU Parallel to test multiple targets concurrently and categorizes them as vulnerable or not based on the response.

Classification

Scanner 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Fusion Builder < 3.6.2

No auth needed

Prerequisites: List of target URLs · GNU Parallel installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by fayassgit · infoleak

https://github.com/fayassgit/CVE-2022-1386-FusionBuilder-SSRF

View Code ZIP pw:eip

This repository contains a functional Python PoC for CVE-2022-1386, an unauthenticated SSRF vulnerability in Fusion Builder < 3.6.2. The exploit fetches a nonce and sends a crafted multipart request to trigger an SSRF via admin-ajax.php.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Fusion Builder < 3.6.2 (Avada WordPress theme)

No auth needed

Prerequisites: Target running vulnerable Fusion Builder plugin · Access to admin-ajax.php endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1090 - Proxy

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by kreeksec · poc

https://github.com/kreeksec/CVE-2022-1386

View Code ZIP pw:eip

This repository contains a proof-of-concept for CVE-2022-1386, an unauthenticated SSRF vulnerability in Fusion Builder WordPress plugin. The exploit demonstrates how an attacker can read arbitrary files on the server by manipulating the `fusionAction` parameter in a POST request.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Fusion Builder WordPress plugin

No auth needed

Prerequisites: Target must have Fusion Builder plugin installed and vulnerable

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by satyasai1460 · infoleak

https://github.com/satyasai1460/CVE-2022-1386

View Code ZIP pw:eip

This is a functional PoC for CVE-2022-1386, an unauthenticated SSRF vulnerability in Fusion Builder < 3.6.2. It automates the exploitation process by generating a fusion ID, crafting a malicious request, and testing for vulnerability.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Fusion Builder < 3.6.2

No auth needed

Prerequisites: Target URL with vulnerable Fusion Builder plugin

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

infoleak

https://github.com/lamcodeofpwnosec/CVE-2022-1386

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2022-1386, an unauthenticated SSRF vulnerability in the Fusion Builder WordPress plugin. The exploit demonstrates how an attacker can read arbitrary files on the server by sending a crafted HTTP request to the plugin's form submission endpoint.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Fusion Builder WordPress plugin

No auth needed

Prerequisites: Access to the target WordPress site with Fusion Builder plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery

CRITICALby akincibor,MantisSTS,calumjelrick

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b

Patch, Third Party Advisory x_refsource_misc

https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/

Patch, Release Notes, Third Party Advisory x_refsource_misc

https://theme-fusion.com/version-7-6-2-security-update/

Scores

CVSS v3 9.8

EPSS 0.9361

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-01-02

CWE

CWE-918

Status published

Products (2)

fusion_builder_project/fusion_builder < 3.6.2

theme-fusion/avada < 7.6.2

Published May 16, 2022

Tracked Since Feb 18, 2026