logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

WordPress < 5.8.3 - Super Admin Object Injection in Multisites

Description

On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection.

Affects WordPresses

5.8.2

Fixed in version 5.8.3

5.8.1

Fixed in version 5.8.3

5.8

Fixed in version 5.8.3

5.7.4

Fixed in version 5.7.5

5.7.3

Fixed in version 5.7.5

5.7.2

Fixed in version 5.7.5

5.7.1

Fixed in version 5.7.5

5.7

Fixed in version 5.7.5

5.6.6

Fixed in version 5.6.7

5.6.5

Fixed in version 5.6.7

References

CVE

CVE-2022-21663

URL

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h

URL

https://hackerone.com/reports/541469

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CWE-502

Miscellaneous

Original Researcher

Simon Scannell of SonarSource

Verified

Yes

WPVDB ID

008c21ab-3d7e-4d97-b6c3-db9d83f390a7

Timeline

Publicly Published

2022-01-06 (about 15 days ago)

Added

2022-01-06 (about 15 days ago)

Last Updated

2022-01-06 (about 15 days ago)

Our Other Services

WPScan WordPress Security Plugin