CVE-2022-21663
Authenticated Object Injection in Multisites in WordPress
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
WordPress es un sistema de administración de contenidos gratuito y de código abierto escrito en PHP y emparejado con una base de datos MariaDB. En un multisitio, los usuarios con el rol de Super Admin pueden omitir el endurecimiento explícito/adicional bajo determinadas condiciones mediante una inyección de objetos. Esto ha sido parcheado en WordPress versión 5.8.3. Las versiones más antiguas afectadas también han sido corregidas por medio de una liberación de seguridad, que remonta a la versión 3.7.37. Le recomendamos encarecidamente que mantenga habilitadas las actualizaciones automáticas. No se presentan medidas de mitigación conocidas para este problema
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-11-16 CVE Reserved
- 2022-01-06 CVE Published
- 2024-03-30 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h | Third Party Advisory | |
| https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://blog.sonarsource.com/wordpress-object-injection-vulnerability | 2024-08-03 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | < 5.8.3 Search vendor "Wordpress" for product "Wordpress" and version " < 5.8.3" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||