Vulnerability Report

CVE-2022-21661

Title: SQL injection in WordPress via WP_Query

SQLi

Proof Of Concept

PoC Available for CVE-2022-21661

CWE Category CWE-89

Published Date Jan 06, 2022

Modified Date Aug 19, 2025

Exploit Status Available

Score 8.0 CVSS v3.1

Exploit Probability (EPSS)

90.36%

Vulnerability Summary

CVE-2022-21661: WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

Impacted Vendors

wordpress 1

Reference Links

http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84 https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/ https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/ https://www.debian.org/security/2022/dsa-5039 https://www.exploit-db.com/exploits/50663 https://www.zerodayinitiative.com/advisories/ZDI-22-020/ http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84 https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/ https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/ https://www.debian.org/security/2022/dsa-5039 https://www.exploit-db.com/exploits/50663 https://www.vicarius.io/vsociety/posts/understanding-the-wordpress-sql-injection-vulnerability-cve-2022-21661 https://www.zerodayinitiative.com/advisories/ZDI-22-020/

CVSS v3.1

Source Entity [email protected]

Severity HIGH

8.0

Attack Vector

NETWORK

Complexity

HIGH

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2.0

Source Entity [email protected]

Severity MEDIUM

5.0

Access Vector

N/A

Authentication

N/A

RAW VECTOR AV:N/AC:L/Au:N/C:P/I:N/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2022-21661 Exploits & PoCs (Proof Of Concept)

Exploit-DB https://www.exploit-db.com/exploits/50663

View Code

August 19, 2025 MODIFIED

Vulnerability data or affected products updated.

January 06, 2022 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity HIGH

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Stack

No specific products linked.