Login Sign Up

CVE-2022-21661

8.0 HIGH
SQL Injection

📋 TL;DR

CVE-2022-21661 is an SQL injection vulnerability in WordPress's WP_Query class due to improper input sanitization. This allows attackers to execute arbitrary SQL commands through plugins or themes that use WP_Query in specific ways. All WordPress sites running versions before 5.8.3 are affected.

💻 Affected Systems

Products:
  • WordPress
Versions: WordPress versions 3.7.0 through 5.8.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires plugins or themes that use WP_Query in specific ways. Core WordPress is vulnerable but exploitation requires vulnerable plugin/theme usage patterns.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

Wordpress by Wordpress

View all CVEs affecting Wordpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, site defacement, or complete system takeover if database user has elevated privileges.

🟠

Likely Case

Data exfiltration from WordPress database including user credentials, sensitive content, and configuration data.

🟢

If Mitigated

Limited impact if proper input validation is implemented at application layer and database user has minimal privileges.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires finding plugins/themes with specific WP_Query usage patterns. Public exploit code exists but requires adaptation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WordPress 5.8.3

Vendor Advisory: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84

Restart Required: No

Instructions:

1. Backup your WordPress site and database. 2. Update WordPress to version 5.8.3 or later via Dashboard > Updates. 3. Update all plugins and themes. 4. Test site functionality after update.

🔧 Temporary Workarounds

No known workarounds

all

The vendor states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Implement strict WAF rules to block SQL injection patterns at the network perimeter
  • Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Check WordPress version in Dashboard > Updates or examine wp-includes/version.php file

Check Version:

grep '\$wp_version' wp-includes/version.php

Verify Fix Applied:

Confirm WordPress version is 5.8.3 or later and verify the commit 17efac8c8ec64555eff5cf51a3eff81e06317214 is present

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries in WordPress logs
  • Multiple failed login attempts followed by unusual SQL patterns
  • Unexpected database errors in error logs

Network Indicators:

  • HTTP requests with SQL injection patterns targeting WordPress endpoints
  • Unusual database connection patterns from web server

SIEM Query:

source="wordpress.log" AND ("SQL syntax" OR "database error" OR "wpdb::prepare")

📊 Metadata

CVE ID: CVE-2022-21661
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-89
Published: January 6, 2022
Last Updated: August 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21661, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)