Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-21661 — SQL Injection in Wordpress Wordpress-develop

CWE-89 — SQL Injection6 documents6 sources

Severity

7.5HIGHNVD

VulnCheck8.0

EPSS

90.9%

top 0.37%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Wordpress Wordpress-develop Wordpress Debian Wordpress +2 more

Timeline

PublishedJan 6

Latest updateJan 13

Description

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vul…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/wordpress< wordpress 5.8.3+dfsg1-1 (bookworm)

▶NVDwordpress/wordpress3.7 — 3.7.37+21

▶CVEListV5wordpress/wordpress-develop< 5.8.3

▶Debianwordpress/wordpress< 5.7.5+dfsg1-0+deb11u1+3

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 34, 35

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-21661: WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database↗2022-01-06

▶

VulnCheck

WordPress wordpress Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')↗2022

▶

💥Exploits & PoCs

Exploit-DB

WordPress Core 5.8.2 - 'WP_Query' SQL Injection↗2022-01-13

▶

Nuclei

WordPress <5.8.3 - SQL Injection

▶

📋Vendor Advisories

Debian

CVE-2022-21661: wordpress - WordPress is a free and open-source content management system written in PHP and...↗2022

▶