Search for vulnerabilities
Vulnerability details: VCID-32ks-kc8x-t3bc
Vulnerability ID VCID-32ks-kc8x-t3bc
Aliases CVE-2022-21661
Summary WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
Status Published
Exploitability 2.0
Weighted Severity 7.2
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
System Score Found at
cvssv3.1 8 http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html
ssvc Track* http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html
epss 0.9023 https://api.first.org/data/v1/epss?cve=CVE-2022-21661
epss 0.9023 https://api.first.org/data/v1/epss?cve=CVE-2022-21661
epss 0.9023 https://api.first.org/data/v1/epss?cve=CVE-2022-21661
epss 0.9023 https://api.first.org/data/v1/epss?cve=CVE-2022-21661
epss 0.9023 https://api.first.org/data/v1/epss?cve=CVE-2022-21661
cvssv3.1 8 https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214
ssvc Track* https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214
cvssv3.1 8 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
ssvc Track* https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
cvssv3.1 8 https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
ssvc Track* https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
cvssv3.1 8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
ssvc Track* https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
cvssv3.1 8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
ssvc Track* https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2022-21661
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-21661
cvssv3.1 8 https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
ssvc Track* https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
cvssv3.1 8 https://www.debian.org/security/2022/dsa-5039
ssvc Track* https://www.debian.org/security/2022/dsa-5039
cvssv3.1 8 https://www.exploit-db.com/exploits/50663
ssvc Track* https://www.exploit-db.com/exploits/50663
cvssv3.1 8 https://www.zerodayinitiative.com/advisories/ZDI-22-020/
ssvc Track* https://www.zerodayinitiative.com/advisories/ZDI-22-020/
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-21661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664
https://www.vicarius.io/vsociety/posts/understanding-the-wordpress-sql-injection-vulnerability-cve-2022-21661
1003243 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003243
17efac8c8ec64555eff5cf51a3eff81e06317214 https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214
50663 https://www.exploit-db.com/exploits/50663
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
CVE-2022-21661 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/50663.txt
CVE-2022-21661 https://nvd.nist.gov/vuln/detail/CVE-2022-21661
DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
dsa-5039 https://www.debian.org/security/2022/dsa-5039
GHSA-6676-cqfm-gw84 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
msg00019.html https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
wordpress-5-8-3-security-release https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
WordPress-Core-5.8.2-SQL-Injection.html http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html
ZDI-22-020 https://www.zerodayinitiative.com/advisories/ZDI-22-020/
Data source Exploit-DB
Date added Jan. 13, 2022
Description WordPress Core 5.8.2 - 'WP_Query' SQL Injection
Ransomware campaign use Unknown
Source publication date Jan. 13, 2022
Exploit type webapps
Platform php
Source update date Jan. 13, 2022
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-09T14:12:39Z/ Found at http://packetstormsecurity.com/files/165540/WordPress-Core-5.8.2-SQL-Injection.html
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-09T14:12:39Z/ Found at https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-09T14:12:39Z/ Found at https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-09T14:12:39Z/ Found at https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-09T14:12:39Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-09T14:12:39Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-21661
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-21661
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-09T14:12:39Z/ Found at https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://www.debian.org/security/2022/dsa-5039
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-09T14:12:39Z/ Found at https://www.debian.org/security/2022/dsa-5039
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://www.exploit-db.com/exploits/50663
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-09T14:12:39Z/ Found at https://www.exploit-db.com/exploits/50663
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://www.zerodayinitiative.com/advisories/ZDI-22-020/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-09T14:12:39Z/ Found at https://www.zerodayinitiative.com/advisories/ZDI-22-020/
Exploit Prediction Scoring System (EPSS)
Percentile 0.99568
EPSS Score 0.9023
Published At Aug. 12, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:54:23.653613+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2022/21xxx/CVE-2022-21661.json 37.0.0