Search for vulnerabilities
Vulnerability details: VCID-aq2b-4paf-nuc7
Vulnerability ID VCID-aq2b-4paf-nuc7
Aliases CVE-2022-21662
Summary WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
Status Published
Exploitability 0.5
Weighted Severity 7.2
Risk 3.6
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
epss 0.12015 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.12015 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.12015 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.12015 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.12015 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.12015 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.12015 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.12015 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.12015 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.12015 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.12015 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.12015 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.1383 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.1383 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
epss 0.1383 https://api.first.org/data/v1/epss?cve=CVE-2022-21662
cvssv3.1 8 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
ssvc Track https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
cvssv3.1 8 https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
ssvc Track https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
cvssv3.1 8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
cvssv3.1 8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
cvssv2 3.5 https://nvd.nist.gov/vuln/detail/CVE-2022-21662
cvssv3.1 5.4 https://nvd.nist.gov/vuln/detail/CVE-2022-21662
cvssv3.1 8 https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
ssvc Track https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
cvssv3.1 8 https://www.debian.org/security/2022/dsa-5039
ssvc Track https://www.debian.org/security/2022/dsa-5039
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-21662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664
1003243 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003243
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
CVE-2022-21662 https://nvd.nist.gov/vuln/detail/CVE-2022-21662
DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
dsa-5039 https://www.debian.org/security/2022/dsa-5039
GHSA-699q-3hj9-889w https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
msg00019.html https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
wordpress-5-8-3-security-release https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:20Z/ Found at https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:20Z/ Found at https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:20Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:20Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-21662
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-21662
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:20Z/ Found at https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://www.debian.org/security/2022/dsa-5039
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:57:20Z/ Found at https://www.debian.org/security/2022/dsa-5039
Exploit Prediction Scoring System (EPSS)
Percentile 0.93491
EPSS Score 0.12015
Published At Aug. 8, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:54:29.207965+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2022/21xxx/CVE-2022-21662.json 37.0.0