CVE-2022-21661
Last modified
CVE-2022-21661 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. EPSS estimates a 97.80% chance of exploitation in the next 30 days.
Description
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wordpress | Wordpress | >= 3.7, < 3.7.37 |
| Wordpress | Wordpress | >= 3.8, < 3.8.37 |
| Wordpress | Wordpress | >= 3.9, < 3.9.35 |
| Wordpress | Wordpress | >= 4.0, < 4.0.34 |
| Wordpress | Wordpress | >= 4.1, < 4.1.34 |
| Wordpress | Wordpress | >= 4.2, < 4.2.31 |
| Wordpress | Wordpress | >= 4.3, < 4.3.27 |
| Wordpress | Wordpress | >= 4.4, < 4.4.26 |
| Wordpress | Wordpress | >= 4.5, < 4.5.25 |
| Wordpress | Wordpress | >= 4.6, < 4.6.22 |
| Wordpress | Wordpress | >= 4.7, < 4.7.22 |
| Wordpress | Wordpress | >= 4.8, < 4.8.18 |
| Wordpress | Wordpress | >= 4.9, < 4.9.19 |
| Wordpress | Wordpress | >= 5.0, < 5.0.15 |
| Wordpress | Wordpress | >= 5.1, < 5.1.12 |
| Wordpress | Wordpress | >= 5.2, < 5.2.14 |
| Wordpress | Wordpress | >= 5.3, < 5.3.11 |
| Wordpress | Wordpress | >= 5.4, < 5.4.9 |
| Wordpress | Wordpress | >= 5.5, < 5.5.8 |
| Wordpress | Wordpress | >= 5.6, < 5.6.7 |
| Wordpress | Wordpress | >= 5.7, < 5.7.5 |
| Wordpress | Wordpress | >= 5.8, < 5.8.3 |
| Fedoraproject | Fedora | 34 |
| Fedoraproject | Fedora | 35 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Debian | Debian Linux | 11.0 |
References
- http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.htmlExploit, Third Party Advisory, VDB Entry
- https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/01/msg00019.htmlMailing List, Third Party Advisory
- https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/Release Notes, Vendor Advisory
- https://www.debian.org/security/2022/dsa-5039Third Party Advisory
- https://www.exploit-db.com/exploits/50663Exploit, Third Party Advisory, VDB Entry
- https://www.zerodayinitiative.com/advisories/ZDI-22-020/Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.htmlExploit, Third Party Advisory, VDB Entry
- https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/01/msg00019.htmlMailing List, Third Party Advisory
- https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/Release Notes, Vendor Advisory
- https://www.debian.org/security/2022/dsa-5039Third Party Advisory
- https://www.exploit-db.com/exploits/50663Exploit, Third Party Advisory, VDB Entry
- https://www.vicarius.io/vsociety/posts/understanding-the-wordpress-sql-injection-vulnerability-cve-2022-21661Exploit, Third Party Advisory
- https://www.zerodayinitiative.com/advisories/ZDI-22-020/Third Party Advisory, VDB Entry
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2022-21661?
How severe is CVE-2022-21661?
How do I fix CVE-2022-21661?
Are you affected by CVE-2022-21661?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST