WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Vulnerabilities

WordPress < 5.8.3 - Super Admin Object Injection in Multisites

Description

On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection.

Affects WordPress

5.8.2
Fixed in version 5.8.3
5.8.1
Fixed in version 5.8.3
5.8
Fixed in version 5.8.3
5.7.4
Fixed in version 5.7.5
5.7.3
Fixed in version 5.7.5
5.7.2
Fixed in version 5.7.5
5.7.1
Fixed in version 5.7.5
5.7
Fixed in version 5.7.5
5.6.6
Fixed in version 5.6.7
5.6.5
Fixed in version 5.6.7

References

CVE
CVE-2022-21663
URL
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
URL
https://hackerone.com/reports/541469

Classification

Type

OBJECT INJECTION

OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502

Miscellaneous

Original Researcher

Simon Scannell of SonarSource

Verified

Yes

WPVDB ID
008c21ab-3d7e-4d97-b6c3-db9d83f390a7

Timeline

Publicly Published

2022-01-06 (about 7 months ago)

Added

2022-01-06 (about 7 months ago)

Last Updated

2022-04-13 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin