← back
CVE-2022-21661

SQL injection in WordPress

CVSS 8 HIGHEPSS 97.8%CWE-89
In short

WordPress has a SQL injection vulnerability in WP_Query where improperly sanitized input can allow attackers to execute unauthorized database commands through vulnerable plugins or themes. This flaw affects multiple WordPress versions and requires updating to patch the issue.

Technical detail

CWE-89 SQL injection in WP_Query stemming from insufficient input sanitization allows attackers to inject malicious SQL code through plugins or themes that utilize WP_Query without proper parameterization. The vulnerability requires an attacker to exploit a vulnerable plugin or theme, and successful exploitation enables unauthorized database access and manipulation. Patched in WordPress 5.8.3 and earlier versions back to 3.7.37.

Summary generated and translated by AI from the official description.
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected products
WordPress · wordpress-develop
public PoCs found15
githubgithub.com/z92g/CVE-2022-2166127githubgithub.com/purple-WL/wordpress-CVE-2022-2166117githubgithub.com/0x4E0x650x6F/Wordpress-cve-CVE-2022-2166114githubgithub.com/guestzz/CVE-2022-216617githubgithub.com/sealldeveloper/CVE-2022-21661-PoC6githubgithub.com/WellingtonEspindula/SSI-CVE-2022-216616githubgithub.com/daniel616/CVE-2022-21661-Demo2githubgithub.com/Fauzan-Aldi/CVE-2022-216610githubgithub.com/safe3s/CVE-2022-216610githubgithub.com/p4ncontomat3/CVE-2022-216610githubgithub.com/CharonDefalt/WordPress--CVE-2022-216610githubgithub.com/w0r1i0g1ht/CVE-2022-216610githubgithub.com/7rootsec/CVE-2022-21661-Technical-Analysis0cve_referencewww.exploit-db.com/exploits/50663unverifiedcve_referencepacketstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.htmlhttps://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84https://lists.debian.org/debian-lts-announce/2022/01/msg00019.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/https://www.debian.org/security/2022/dsa-5039https://www.exploit-db.com/exploits/50663https://www.vicarius.io/vsociety/posts/understanding-the-wordpress-sql-injection-vulnerability-cve-2022-21661https://www.zerodayinitiative.com/advisories/ZDI-22-020/