CVE-2022-21661 — HIGH (8.0)

Q: How severe is CVE-2022-21661?

CVE-2022-21661 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-21661?

Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

CVSS Score

8.0

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Wordpress	Wordpress	>= 3.7, < 3.7.37
Fedoraproject	Fedora	34
Debian	Debian Linux	9.0

Related Weaknesses (CWE)

CWE-89

References

http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.hExploitThird Party AdvisoryVDB Entry
https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3PatchThird Party Advisory
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00019.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproThird Party Advisory
https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/Release NotesVendor Advisory
https://www.debian.org/security/2022/dsa-5039Third Party Advisory
https://www.exploit-db.com/exploits/50663ExploitThird Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-22-020/Third Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.hExploitThird Party AdvisoryVDB Entry
https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3PatchThird Party Advisory
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00019.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproThird Party Advisory

FAQ

What is CVE-2022-21661?

CVE-2022-21661 is a vulnerability with a CVSS score of 8.0 (HIGH). WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is pos...

How severe is CVE-2022-21661?

CVE-2022-21661 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-21661?

Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress, Fedoraproject Fedora, Debian Debian Linux.