| Vulnerability Name: | CVE-2022-21661 (CCN-216858) | ||||||||||||
| Assigned: | 2021-11-16 | ||||||||||||
| Published: | 2022-01-06 | ||||||||||||
| Updated: | 2022-04-12 | ||||||||||||
| Summary: | WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. | ||||||||||||
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) 7.2 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C)
7.6 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-89 | ||||||||||||
| Vulnerability Consequences: | Data Manipulation | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-21661 Source: MISC Type: Exploit, Third Party Advisory, VDB Entry http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html Source: XF Type: UNKNOWN wordpress-cve202221661-sql-injection(216858) Source: MISC Type: Patch, Third Party Advisory https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214 Source: CONFIRM Type: Third Party Advisory https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84 Source: MLIST Type: Mailing List, Third Party Advisory [debian-lts-announce] 20220123 [SECURITY] [DLA 2884-1] wordpress security update Source: FEDORA Type: Third Party Advisory FEDORA-2022-e37e1e6c7a Source: FEDORA Type: Third Party Advisory FEDORA-2022-8472dd59ff Source: CCN Type: Packet Storm Security [01-13-2022] WordPress Core 5.8.2 SQL Injection Source: CCN Type: WordPress Web site WordPress 5.8.3 Security Release Source: MISC Type: Release Notes, Vendor Advisory https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/ Source: DEBIAN Type: Third Party Advisory DSA-5039 Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [01-13-2022] Source: MISC Type: Exploit, Third Party Advisory, VDB Entry https://www.exploit-db.com/exploits/50663 Source: CCN Type: ZDI-22-020 WordPress Core WP_Query SQL Injection Information Disclosure Vulnerability Source: MISC Type: Third Party Advisory, VDB Entry https://www.zerodayinitiative.com/advisories/ZDI-22-020/ | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||