WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Vulnerabilities

WordPress < 5.8.3 - SQL Injection via WP_Query

Description

Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way.

Affects WordPress

5.8.2
Fixed in version 5.8.3
5.8.1
Fixed in version 5.8.3
5.8
Fixed in version 5.8.1
5.7.4
Fixed in version 5.7.5
5.7.3
Fixed in version 5.7.5
5.7.2
Fixed in version 5.7.3
5.7.1
Fixed in version 5.7.3
5.7
Fixed in version 5.7.3
5.6.6
Fixed in version 5.6.7
5.6.5
Fixed in version 5.6.7

References

CVE
CVE-2022-21661
URL
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
URL
https://hackerone.com/reports/1378209

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Ngocnb and Khuyenn from GiaoHangTietKiem JSC

Verified

Yes

WPVDB ID
7f768bcf-ed33-4b22-b432-d1e7f95c1317

Timeline

Publicly Published

2022-01-06 (about 7 months ago)

Added

2022-01-06 (about 7 months ago)

Last Updated

2022-04-12 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin