CVE-2022-21661
Published: 06 January 2022
Summary
CVE-2022-21661 is a high-severity SQL Injection (CWE-89) vulnerability in Wordpress Wordpress. Its CVSS base score is 8.0 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
WordPress, the widely used open-source PHP content management system, contains a SQL injection vulnerability (CWE-89) stemming from improper sanitization inside the WP_Query class. The flaw can be triggered when plugins or themes invoke WP_Query in specific patterns, allowing malicious input to alter generated SQL statements. It affects all branches prior to the 5.8.3 release and was back-ported to older supported lines through 3.7.37.
An attacker must possess high privileges (typically an administrative account) and must supply crafted input that reaches WP_Query under conditions that satisfy the high attack-complexity requirement. Successful exploitation yields full read/write access to the database and can affect confidentiality, integrity, and availability with changed scope, enabling the attacker to extract or modify arbitrary data and potentially compromise the entire site.
Advisories from the WordPress project, GitHub Security, Debian LTS, and Fedora state that the issue is resolved in version 5.8.3 and the corresponding security releases for earlier branches; operators are strongly encouraged to leave automatic updates enabled, as no configuration workarounds exist. Public exploit code has been posted to Packet Storm, and the EPSS score remains elevated near 0.90.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-26878
Vulnerability details
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it…
more
in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.