WordPress Core, SQL Injection, CVE-2022-21661 (High)

By /

Listen to this Post

How the mentioned CVE works:

The CVE-2022-21661 vulnerability exists within the WordPress WP_Query class. A flaw in the sanitization of the ‘terms’ parameter used for taxonomy queries allowed a high-privileged user, such as an author, to inject malicious SQL clauses. Specifically, when querying for posts based on multiple taxonomies, the user-supplied input was not properly escaped before being incorporated into a SQL UNION statement. This enabled an attacker to append arbitrary SQL commands to the main query, potentially leading to unauthorized data disclosure from the WordPress database, including sensitive user information. The attack required author-level access or higher, making it an authenticated SQL Injection.

DailyCVE Form:

Platform: WordPress
Version: <5.8.3

Vulnerability : SQL Injection

Severity: High

date: 2022-01-10

Prediction: 2022-01-25

What Undercode Say:

`wp –user=2 –role=author post list –fields=ID,post_ –tax_query='[{“taxonomy”:”category”,”field”:”term_id”,”terms”:”1 UNION SELECT user_login,user_pass FROM wp_users — “}]’`
`curl -s “http://vulnerable-site.com/wp-json/wp/v2/posts?tax_query=…malicious.payload…”`
`sqlmap -u “http://target.com/?cat=1” –batch –dbs`

How Exploit:

An attacker with a subscriber or higher account can craft a malicious request to the WP_Query, targeting the terms parameter. By injecting a UNION SELECT statement, they can extract data from other database tables, such as the wp_users table, revealing hashed passwords and usernames. This is typically done by manipulating taxonomy queries in post listings or via REST API endpoints.

Protection from this CVE:

Update to WordPress 5.8.3 or later. Apply the security patch which adds proper escaping to the vulnerable parameter. Enforce the principle of least privilege for user accounts. Implement a Web Application Firewall (WAF) to filter malicious SQL patterns.

Impact:

Data breach exposing usernames and password hashes. Potential for site takeover if weak hashes are cracked. Unauthorized access to private post content and user data.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top