Cyber Resilience

CVE-2022-21661

HighPublic PoC

Published: 06 January 2022

Published
06 January 2022
Modified
19 August 2025
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9036 99.6th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21661 is a high-severity SQL Injection (CWE-89) vulnerability in Wordpress Wordpress. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

WordPress, the widely used open-source PHP content management system, contains a SQL injection vulnerability (CWE-89) stemming from improper sanitization inside the WP_Query class. The flaw can be triggered when plugins or themes invoke WP_Query in specific patterns, allowing malicious input to alter generated SQL statements. It affects all branches prior to the 5.8.3 release and was back-ported to older supported lines through 3.7.37.

An attacker must possess high privileges (typically an administrative account) and must supply crafted input that reaches WP_Query under conditions that satisfy the high attack-complexity requirement. Successful exploitation yields full read/write access to the database and can affect confidentiality, integrity, and availability with changed scope, enabling the attacker to extract or modify arbitrary data and potentially compromise the entire site.

Advisories from the WordPress project, GitHub Security, Debian LTS, and Fedora state that the issue is resolved in version 5.8.3 and the corresponding security releases for earlier branches; operators are strongly encouraged to leave automatic updates enabled, as no configuration workarounds exist. Public exploit code has been posted to Packet Storm, and the EPSS score remains elevated near 0.90.

EU & UK References

Vulnerability details

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it…

more

in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wordpress
wordpress
3.7 — 3.7.37 · 3.8 — 3.8.37 · 3.9 — 3.9.35
fedoraproject
fedora
34, 35
debian
debian linux
10.0, 11.0, 9.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References