Search for vulnerabilities
Vulnerability details: VCID-ct56-8gxd-dbar
Vulnerability ID VCID-ct56-8gxd-dbar
Aliases CVE-2022-21664
Summary WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
Status Published
Exploitability 0.5
Weighted Severity 7.9
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
System Score Found at
epss 0.02219 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.02223 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.02223 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.05004 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.05004 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.05013 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.05013 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.05013 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.05013 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.05013 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.05013 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.05013 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.05013 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
epss 0.05013 https://api.first.org/data/v1/epss?cve=CVE-2022-21664
cvssv3.1 7.4 https://github.com/WordPress/wordpress-develop/commit/c09ccfbc547d75b392dbccc1ef0b4442ccd3c957
ssvc Track https://github.com/WordPress/wordpress-develop/commit/c09ccfbc547d75b392dbccc1ef0b4442ccd3c957
cvssv3.1 7.4 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
ssvc Track https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
cvssv3.1 7.4 https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
ssvc Track https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
cvssv3.1 7.4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
cvssv3.1 7.4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
cvssv2 6.5 https://nvd.nist.gov/vuln/detail/CVE-2022-21664
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2022-21664
cvssv3.1 7.4 https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
ssvc Track https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
cvssv3.1 7.4 https://www.debian.org/security/2022/dsa-5039
ssvc Track https://www.debian.org/security/2022/dsa-5039
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-21664
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664
1003243 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003243
c09ccfbc547d75b392dbccc1ef0b4442ccd3c957 https://github.com/WordPress/wordpress-develop/commit/c09ccfbc547d75b392dbccc1ef0b4442ccd3c957
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
CVE-2022-21664 https://nvd.nist.gov/vuln/detail/CVE-2022-21664
DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
dsa-5039 https://www.debian.org/security/2022/dsa-5039
GHSA-jp3p-gw8h-6x86 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
msg00019.html https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
wordpress-5-8-3-security-release https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/WordPress/wordpress-develop/commit/c09ccfbc547d75b392dbccc1ef0b4442ccd3c957
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:29Z/ Found at https://github.com/WordPress/wordpress-develop/commit/c09ccfbc547d75b392dbccc1ef0b4442ccd3c957
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:29Z/ Found at https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Found at https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:29Z/ Found at https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:29Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:29Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2022-21664
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-21664
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Found at https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:29Z/ Found at https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Found at https://www.debian.org/security/2022/dsa-5039
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:29Z/ Found at https://www.debian.org/security/2022/dsa-5039
Exploit Prediction Scoring System (EPSS)
Percentile 0.83909
EPSS Score 0.02219
Published At Aug. 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:54:37.012109+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2022/21xxx/CVE-2022-21664.json 37.0.0