CVE-2022-21661
published 2022-01-06CVE-2022-21661: WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query…
PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.80%
99.9th percentile
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | wordpress | < wordpress 5.8.3+dfsg1-1 (bookworm) | wordpress 5.8.3+dfsg1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| wordpress | wordpress | >= 0 < 5.7.5+dfsg1-0+deb11u1 | 5.7.5+dfsg1-0+deb11u1 |
| wordpress | wordpress | >= 0 < 5.8.3+dfsg1-1 | 5.8.3+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.8.3+dfsg1-1 | 5.8.3+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.8.3+dfsg1-1 | 5.8.3+dfsg1-1 |
| wordpress | wordpress | >= 3.7 < 3.7.37 | 3.7.37 |
| wordpress | wordpress | >= 3.8 < 3.8.37 | 3.8.37 |
| wordpress | wordpress | >= 3.9 < 3.9.35 | 3.9.35 |
| wordpress | wordpress | >= 4.0 < 4.0.34 | 4.0.34 |
| wordpress | wordpress | >= 4.1 < 4.1.34 | 4.1.34 |
| wordpress | wordpress | >= 4.2 < 4.2.31 | 4.2.31 |
| wordpress | wordpress | >= 4.3 < 4.3.27 | 4.3.27 |
| wordpress | wordpress | >= 4.4 < 4.4.26 | 4.4.26 |
| wordpress | wordpress | >= 4.5 < 4.5.25 | 4.5.25 |
| wordpress | wordpress | >= 4.6 < 4.6.22 | 4.6.22 |
| wordpress | wordpress | >= 4.7 < 4.7.22 | 4.7.22 |
| wordpress | wordpress | >= 4.8 < 4.8.18 | 4.8.18 |
| wordpress | wordpress | >= 4.9 < 4.9.19 | 4.9.19 |
| wordpress | wordpress | >= 5.0 < 5.0.15 | 5.0.15 |
| wordpress | wordpress | >= 5.1 < 5.1.12 | 5.1.12 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=ecsload&query={"tax_query":{"0":{"field":"term_taxonomy_id","terms":[""]}}}&ecs_ajax_settings={"post_id":"1", "current_page":1, "widget_id":1, "theme_id":1, "max_num_pages":10}↗
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php containing 'tax_query' with 'term_taxonomy_id' and empty 'terms' array — the canonical SQLi payload pattern for this CVE. ↗
- →A successful exploitation response will contain both 'WordPress database error:' and 'error in your SQL syntax' in the HTTP response body with a 200 status code and text/html content type. ↗
- →The vulnerability is triggered via improper sanitization in WP_Query when plugins or themes pass attacker-controlled tax_query parameters; monitor for JSON-encoded tax_query structures in POST bodies to admin-ajax.php. ↗
- →Shodan queries 'cpe:"cpe:2.3:a:wordpress:wordpress"' and 'http.component:"wordpress"' can be used to identify exposed WordPress instances for proactive scanning. ↗
- ·The exploit payload uses the 'ecsload' action, which is specific to a particular plugin/theme that exposes WP_Query via admin-ajax.php. The underlying vulnerability is in WP_Query itself, so other action names may be used depending on which plugin or theme is installed. ↗
- ·The vulnerability affects WordPress versions as far back as 3.7; patched versions include 5.8.3 and backported security releases down to 3.7.37. Detection rules should account for the wide version range of affected installations. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vulncheck8.0HIGH
vendor_debian8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-21661: WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database
osv·2022-01-06·CVSS 7.5
CVE-2022-21661 [HIGH] CVE-2022-21661: WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
VulnCheck
WordPress wordpress Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2022·CVSS 8.0
CVE-2022-21661 [HIGH] WordPress wordpress Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
WordPress wordpress Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
Affected: WordPress wordpress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavail
Debian
CVE-2022-21661: wordpress - WordPress is a free and open-source content management system written in PHP and...
vendor_debian·2022·CVSS 8.0
CVE-2022-21661 [HIGH] CVE-2022-21661: wordpress - WordPress is a free and open-source content management system written in PHP and...
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
Scope: local
bookworm: resolved (fixed in 5.8.3+dfsg1-1)
bullseye: resolved (fixed in 5.7.5+dfsg1-0+deb11u1)
forky: resolved (fixed in 5.8.3+dfsg1-1)
sid: resolved (fixed in 5.8.3+dfsg1-1)
trixie: resolved (fixed in 5.8.3+dfsg1-1)
No detection rules found.
Exploit-DB
WordPress Core 5.8.2 - 'WP_Query' SQL Injection
exploitdb·2022-01-13·CVSS 8.0
CVE-2022-21661 [HIGH] WordPress Core 5.8.2 - 'WP_Query' SQL Injection
WordPress Core 5.8.2 - 'WP_Query' SQL Injection
---
# Exploit Title: WordPress Core 5.8.2 - 'WP_Query' SQL Injection
# Date: 11/01/2022
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/download/releases
# Version: &nonce=a85a0c3bfa&query_vars={"tax_query":{"0":{"field":"term_taxonomy_id","terms":[""]}}}
Nuclei
WordPress <5.8.3 - SQL Injection
nuclei·CVSS 7.5
CVE-2022-21661 [HIGH] WordPress <5.8.3 - SQL Injection
WordPress <5.8.3 - SQL Injection
WordPress before 5.8.3 is susceptible to SQL injection through multiple plugins or themes due to improper sanitization in WP_Query, An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2022-21661
info:
name: WordPress <5.8.3 - SQL Injection
author: Marcio Mendes
severity: high
description: |
WordPress before 5.8.3 is susceptible to SQL injection through multiple plugins or themes due to improper sanitization in WP_Query, An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
impact: |
Successful exploitation of this vulnera
No writeups or analysis indexed.
http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.htmlhttps://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84https://lists.debian.org/debian-lts-announce/2022/01/msg00019.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/https://www.debian.org/security/2022/dsa-5039https://www.exploit-db.com/exploits/50663https://www.zerodayinitiative.com/advisories/ZDI-22-020/http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.htmlhttps://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84https://lists.debian.org/debian-lts-announce/2022/01/msg00019.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/https://www.debian.org/security/2022/dsa-5039https://www.exploit-db.com/exploits/50663https://www.vicarius.io/vsociety/posts/understanding-the-wordpress-sql-injection-vulnerability-cve-2022-21661https://www.zerodayinitiative.com/advisories/ZDI-22-020/
2022-01-06
Published
Exploited in the wild