SQL injection in WordPress

CVE-2022-21661

8HIGH

Key Information

Vendor: WordPress
Status: WordPress-develop
Vendor: CVE Published:; 6 January 2022

Badges

👾 Exploit Exists🔴 Public PoC🟣 EPSS 91%

Summary

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

Affected Version(s)

wordpress-develop = < 5.8.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-21661
Created by z92g

wordpress-CVE-2022-21661
Created by purple-WL

CVE-2022-21661-WordPress-Core-5.8.2-WP_Query-SQL-Injection
Created by TAPESH-TEAM

EPSS Score

91% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

👾
Exploit exists.
Sep 10, 2024
Risk change from: 7.5 to: 8 - (HIGH)
Aug 3, 2024
Vulnerability published.
Jan 6, 2022
Vulnerability Reserved.
Nov 16, 2021

Collectors

NVD DatabaseMitre Database10 Proof of Concept(s)