cbcvebase.
CVE-2022-21661
published 2022-01-06

CVE-2022-21661: WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query…

PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
97.80%
99.9th percentile
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

Affected

33 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianwordpress< wordpress 5.8.3+dfsg1-1 (bookworm)wordpress 5.8.3+dfsg1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
wordpresswordpress>= 0 < 5.7.5+dfsg1-0+deb11u15.7.5+dfsg1-0+deb11u1
wordpresswordpress>= 0 < 5.8.3+dfsg1-15.8.3+dfsg1-1
wordpresswordpress>= 0 < 5.8.3+dfsg1-15.8.3+dfsg1-1
wordpresswordpress>= 0 < 5.8.3+dfsg1-15.8.3+dfsg1-1
wordpresswordpress>= 3.7 < 3.7.373.7.37
wordpresswordpress>= 3.8 < 3.8.373.8.37
wordpresswordpress>= 3.9 < 3.9.353.9.35
wordpresswordpress>= 4.0 < 4.0.344.0.34
wordpresswordpress>= 4.1 < 4.1.344.1.34
wordpresswordpress>= 4.2 < 4.2.314.2.31
wordpresswordpress>= 4.3 < 4.3.274.3.27
wordpresswordpress>= 4.4 < 4.4.264.4.26
wordpresswordpress>= 4.5 < 4.5.254.5.25
wordpresswordpress>= 4.6 < 4.6.224.6.22
wordpresswordpress>= 4.7 < 4.7.224.7.22
wordpresswordpress>= 4.8 < 4.8.184.8.18
wordpresswordpress>= 4.9 < 4.9.194.9.19
wordpresswordpress>= 5.0 < 5.0.155.0.15
wordpresswordpress>= 5.1 < 5.1.125.1.12

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=ecsload&query={"tax_query":{"0":{"field":"term_taxonomy_id","terms":[""]}}}&ecs_ajax_settings={"post_id":"1", "current_page":1, "widget_id":1, "theme_id":1, "max_num_pages":10}
command&nonce=a85a0c3bfa&query_vars={"tax_query":{"0":{"field":"term_taxonomy_id","terms":[""]}}}
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php containing 'tax_query' with 'term_taxonomy_id' and empty 'terms' array — the canonical SQLi payload pattern for this CVE.
  • A successful exploitation response will contain both 'WordPress database error:' and 'error in your SQL syntax' in the HTTP response body with a 200 status code and text/html content type.
  • The vulnerability is triggered via improper sanitization in WP_Query when plugins or themes pass attacker-controlled tax_query parameters; monitor for JSON-encoded tax_query structures in POST bodies to admin-ajax.php.
  • Shodan queries 'cpe:"cpe:2.3:a:wordpress:wordpress"' and 'http.component:"wordpress"' can be used to identify exposed WordPress instances for proactive scanning.
  • ·The exploit payload uses the 'ecsload' action, which is specific to a particular plugin/theme that exposes WP_Query via admin-ajax.php. The underlying vulnerability is in WP_Query itself, so other action names may be used depending on which plugin or theme is installed.
  • ·The vulnerability affects WordPress versions as far back as 3.7; patched versions include 5.8.3 and backported security releases down to 3.7.37. Detection rules should account for the wide version range of affected installations.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vulncheck8.0HIGH
vendor_debian8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.