Fusion Builder < 3.6.2 - Unauthenticated SSRF
Description
The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) via a parameter in its forms.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, is vulnerable to unauthenticated Server-Side Request Forgery (SSRF) via a parameter in its forms.
Vulnerability
The Fusion Builder plugin before version 3.6.2, used in the Avada theme (versions 7.6.1 and below), contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The plugin's form functionality does not validate a parameter that can be used to initiate arbitrary HTTP requests from the server. The data returned is then reflected back in the application's response [1], [2], [3].
Exploitation
An attacker can exploit this SSRF vulnerability without authentication or user interaction. By sending a crafted HTTP request to a vulnerable site hosting the Avada theme and Fusion Builder plugin, the attacker can manipulate the unvalidated parameter to direct the server to make requests to internal hosts. This can target the loopback interface (127.0.0.1) or other hosts on the server's local network, bypassing firewalls and access controls [2]. The attacker does not need any special network position beyond reachability to the web server.
Impact
Successful exploitation allows an attacker to interact with internal systems that are normally inaccessible, such as scanning and attacking services on the local network, enumerating services on the same server via localhost, and potentially exploiting host-based authentication services. The SSRF can lead to information disclosure and further compromise of internal resources [2].
Mitigation
The vulnerability is fixed in Fusion Builder version 3.6.2 and Avada version 7.6.2 (security update) or later [1], [3]. Users are strongly advised to update their Avada theme and Fusion Builder plugin to the latest available versions. No workaround is provided. The issue was responsibly disclosed by Calum Elrick of Rootshell Security and patched promptly by Theme Fusion [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <3.6.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of a parameter in the prebuilt contact form builders allows an attacker to control the target of a server-side HTTP request, leading to Server-Side Request Forgery (SSRF)."
Attack vector
An attacker manipulates a parameter in the theme's prebuilt contact form to inject an arbitrary URL. The server then makes an HTTP request to that URL on behalf of the attacker. Because the request originates from the vulnerable server, it can reach internal hosts on the local network or the loopback interface that would otherwise be blocked by firewalls [ref_id=1]. The response from the internal target is reflected back in the application's output, enabling the attacker to scan internal systems, enumerate services, and exploit host-based authentication mechanisms [ref_id=1].
Affected code
The vulnerability resides in the prebuilt contact form builders of the Avada theme (Fusion Builder WordPress plugin before version 3.6.2). The advisory [ref_id=1] identifies that a parameter in these forms is not validated, allowing an attacker to control the target of an HTTP request made by the server.
What the fix does
Theme Fusion addressed the issue in Avada versions 7.6.2 (security update) and 7.7, which correspond to Fusion Builder version 3.6.2 [ref_id=1]. The patch adds validation to the parameter in the contact form builders to prevent arbitrary HTTP requests. No further technical details of the fix are provided in the advisory [ref_id=1].
Preconditions
- configThe site must use the Avada theme with Fusion Builder plugin version before 3.6.2.
- inputThe attacker must be able to submit a crafted form request to the vulnerable contact form endpoint.
- authNo authentication is required; the form is typically publicly accessible.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- theme-fusion.com/version-7-6-2-security-update/mitrex_refsource_MISC
- wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536bmitrex_refsource_MISC
- www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.