{"id":"CVE-2022-21661","summary":"SQL injection in WordPress","details":"WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.","aliases":["BIT-wordpress-2022-21661","BIT-wordpress-multisite-2022-21661","GHSA-6676-cqfm-gw84"],"modified":"2026-04-11T12:38:35.624019Z","published":"2022-01-06T22:50:11Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/21xxx/CVE-2022-21661.json","cwe_ids":["CWE-89"]},"references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html"},{"type":"WEB","url":"https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/"},{"type":"WEB","url":"https://www.exploit-db.com/exploits/50663"},{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/understanding-the-wordpress-sql-injection-vulnerability-cve-2022-21661"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/21xxx/CVE-2022-21661.json"},{"type":"ADVISORY","url":"https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21661"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5039"},{"type":"ADVISORY","url":"https://www.zerodayinitiative.com/advisories/ZDI-22-020/"},{"type":"FIX","url":"https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"3921fd373acaeeeee2029f762b676075cf375b33"},{"fixed":"09d6b97e496414dc67d5615f5ef9d134d566c720"},{"introduced":"36470a480cac07d34a355e9f8a9409c1349b6e07"},{"fixed":"27d0fd27462ca1a5fc23bb1016f0c9dcf886020a"},{"introduced":"54a3b49fa91b7beeb3da2f448154f9e75f005a9a"},{"fixed":"4ac803265e885ccff291536a7e0a33eb7e1225ef"},{"introduced":"842221094a5011886291b21fd7c705835d69e0bc"},{"fixed":"f398854685bb345810ee02dc5d9919e2f7b05c9d"},{"introduced":"e5e791f331d371ad6262c1893d84f5f2b6c26464"},{"fixed":"e362bce7b8e14da51c424b26d04b4246a628f219"},{"introduced":"87bf150016e042bc3e21f2f1cb9de44042b8cdb1"},{"fixed":"5d0b8f04298d60609e533963f1c2052c9e2e5bc4"},{"introduced":"b57f3aa5f00a127f209eff74b78787dd3fd5ed4d"},{"fixed":"0e774dfa5013dbfbfc814a18c684766513416704"},{"introduced":"f6a29831c76d2dbe82e9ae673539f910654c58a4"},{"fixed":"64deb5d8ebb1e220ce8c1ab19c7bbc6a77ca5a40"},{"introduced":"e3aafee3f2bc07e09bf79389f20ea3db731466c3"},{"fixed":"7fca78dc6bd0d33f583ce406f03175ab7112f1ac"},{"introduced":"fe47e6139dbfc0f0c9ce0d79da77926b5fceaa77"},{"fixed":"e00321cf4f72234a25ebb6ea5e612d32d2124d9f"},{"introduced":"14247ee4302378d292863865c643abe99bbfe3c7"},{"fixed":"4caa8c2b2250f67466c503d8b2df6ee2392202ba"},{"introduced":"06fa4161aa74619239cf27017d124081c825684a"},{"fixed":"691f31ccf6e675961d2601497379fdb019d1f455"},{"introduced":"29ffbff370968ae48a1b7a34e35c8b8e75cf0f91"},{"fixed":"3437c252f192963ad834a10215fece4798644aeb"},{"introduced":"491c67be12ca8a9fe37ae38307ba7e298c976ec3"},{"fixed":"639e2866242fe4e3d8edf46a2af1466d1856bcfd"},{"introduced":"c33464a4554cff8a082bc353d9226d8104b80d2b"},{"fixed":"ac959c4ed5201055b5e389eedabcad700834afd3"},{"introduced":"6fe64752be3260f2a47f38e68c2cb77400e5a0c9"},{"fixed":"5d7a25cea6470083212f3131387b14269c2e198f"},{"introduced":"50dc0ca5bb332c895f0f39fe4e6ee1e4a43e06dc"},{"fixed":"d9599db63710e68b768523d0aea9de96fe4d1b31"},{"introduced":"9ff4499281663b0c772787fd4a60538288f842e9"},{"fixed":"1608dbd0c634bd5bd1de3ea9cfb3adc7a04a8d90"},{"introduced":"537fd931bc02e6e934a2d774422b897871aa87ad"},{"fixed":"b768932df8c10d1442201cb262d7922a9e9e7507"},{"introduced":"965fcddcf68cf4fd122ae24b992e242dfea1d773"},{"fixed":"be967a66f115a766e7a6e86078a3730d4313d41e"},{"introduced":"058f9903676a7efaee534a682df0a2a8b87574d8"},{"fixed":"4b3ac07dd0476ab2a67855b07c52e5072866c83c"},{"introduced":"50caeb6e61ad0c49d2c7e1d6d5115047a011f590"},{"fixed":"3c8a81ce485f3ed16617d99d0da9c1bedac4791c"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"3.7"},{"fixed":"3.7.37"},{"introduced":"3.8"},{"fixed":"3.8.37"},{"introduced":"3.9"},{"fixed":"3.9.35"},{"introduced":"4.0"},{"fixed":"4.0.34"},{"introduced":"4.1"},{"fixed":"4.1.34"},{"introduced":"4.2"},{"fixed":"4.2.31"},{"introduced":"4.3"},{"fixed":"4.3.27"},{"introduced":"4.4"},{"fixed":"4.4.26"},{"introduced":"4.5"},{"fixed":"4.5.25"},{"introduced":"4.6"},{"fixed":"4.6.22"},{"introduced":"4.7"},{"fixed":"4.7.22"},{"introduced":"4.8"},{"fixed":"4.8.18"},{"introduced":"4.9"},{"fixed":"4.9.19"},{"introduced":"5.0"},{"fixed":"5.0.15"},{"introduced":"5.1"},{"fixed":"5.1.12"},{"introduced":"5.2"},{"fixed":"5.2.14"},{"introduced":"5.3"},{"fixed":"5.3.11"},{"introduced":"5.4"},{"fixed":"5.4.9"},{"introduced":"5.5"},{"fixed":"5.5.8"},{"introduced":"5.6"},{"fixed":"5.6.7"},{"introduced":"5.7"},{"fixed":"5.7.5"},{"introduced":"5.8"},{"fixed":"5.8.3"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-21661.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress-develop","events":[{"introduced":"0"},{"fixed":"17efac8c8ec64555eff5cf51a3eff81e06317214"}],"database_specific":{"source":"REFERENCES"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-21661.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}]}