Search for vulnerabilities
Vulnerability details: VCID-xmct-x7bt-quhy
Vulnerability ID VCID-xmct-x7bt-quhy
Aliases CVE-2022-21663
Summary WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
Status Published
Exploitability 0.5
Weighted Severity 6.5
Risk 3.2
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-502 Deserialization of Untrusted Data
System Score Found at
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00464 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00914 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00914 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
epss 0.00914 https://api.first.org/data/v1/epss?cve=CVE-2022-21663
cvssv3.1 6.6 https://blog.sonarsource.com/wordpress-object-injection-vulnerability/
ssvc Track* https://blog.sonarsource.com/wordpress-object-injection-vulnerability/
cvssv3.1 6.6 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
ssvc Track* https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
cvssv3.1 6.6 https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
ssvc Track* https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
cvssv3.1 6.6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
ssvc Track* https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
cvssv3.1 6.6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
ssvc Track* https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
cvssv2 6.5 https://nvd.nist.gov/vuln/detail/CVE-2022-21663
cvssv3.1 7.2 https://nvd.nist.gov/vuln/detail/CVE-2022-21663
cvssv3.1 6.6 https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
ssvc Track* https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
cvssv3.1 6.6 https://www.debian.org/security/2022/dsa-5039
ssvc Track* https://www.debian.org/security/2022/dsa-5039
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-21663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664
1003243 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003243
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
CVE-2022-21663 https://nvd.nist.gov/vuln/detail/CVE-2022-21663
DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
dsa-5039 https://www.debian.org/security/2022/dsa-5039
GHSA-jmmq-m8p8-332h https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
msg00019.html https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
wordpress-5-8-3-security-release https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
wordpress-object-injection-vulnerability https://blog.sonarsource.com/wordpress-object-injection-vulnerability/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://blog.sonarsource.com/wordpress-object-injection-vulnerability/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:45:27Z/ Found at https://blog.sonarsource.com/wordpress-object-injection-vulnerability/
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:45:27Z/ Found at https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:45:27Z/ Found at https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:45:27Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:45:27Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2022-21663
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-21663
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:45:27Z/ Found at https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://www.debian.org/security/2022/dsa-5039
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:45:27Z/ Found at https://www.debian.org/security/2022/dsa-5039
Exploit Prediction Scoring System (EPSS)
Percentile 0.63337
EPSS Score 0.00464
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:54:26.703907+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2022/21xxx/CVE-2022-21663.json 37.0.0