SQL Injection in Wordpress Wordpress-develop
CVE-2022-21661
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that us…
Vulnerability class: SQL Injection
EPSS: 0.904 (99.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.0 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H.
Affected products
- Wordpress Wordpress-develop — versions < 5.8.3
Weakness classification (CWE)
Public proof-of-concept exploits
- z92g/CVE-2022-21661
- purple-WL/wordpress-CVE-2022-21661
- 0x4E0x650x6F/Wordpress-cve-CVE-2022-21661
- guestzz/CVE-2022-21661
- WellingtonEspindula/SSI-CVE-2022-21661
- sealldeveloper/CVE-2022-21661-PoC
- daniel616/CVE-2022-21661-Demo
- 7rootsec/CVE-2022-21661-Technical-Analysis
- Fauzan-Aldi/CVE-2022-21661
- w0r1i0g1ht/CVE-2022-21661
References
- github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84 (x_refsource_CONFIRM)
- github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e0… (x_refsource_MISC)
- wordpress.org/news/2022/01/wordpress-5-8-3-security-release/ (x_refsource_MISC)
- www.zerodayinitiative.com/advisories/ZDI-22-020/ (x_refsource_MISC)
- DSA-5039 (vendor-advisory, x_refsource_DEBIAN)
- www.exploit-db.com/exploits/50663 (x_refsource_MISC)
- packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html (x_refsource_MISC)
- FEDORA-2022-8472dd59ff (vendor-advisory, x_refsource_FEDORA)
- FEDORA-2022-e37e1e6c7a (vendor-advisory, x_refsource_FEDORA)
- [debian-lts-announce] 20220123 [SECURITY] [DLA 2884-1] wordpress security update (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2022-21661?
- CVE-2022-21661 is a high-severity vulnerability in Wordpress Wordpress-develop, classified under SQL Injection. CVSS score: 8.0/10. Published 2022-01-06.
- How severe is CVE-2022-21661?
- High severity. CVSS v3 base score is 8.0 out of 10.
- Is CVE-2022-21661 known to be exploited?
- 54 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.