Nyambush
CVSS 7.5High

CVE-2022-21661: SQL Injection in WP_Query

Overview

  • CVE: CVE-2022-21661
  • Affected Versions: WordPress 3.7 to 5.8.2 (approximately 8 years of versions)
  • CVSS: 8.0 (High)
  • Authentication: Varies (unauthenticated exploitation possible via plugins)
  • Type: SQL Injection

In January 2022, an SQL injection vulnerability was discovered in WordPress's core WP_Query class. It affected virtually every version of WordPress since 3.7 — an extraordinarily wide impact spanning approximately 8 years of releases.

What Happened

WP_Query is the most fundamental database query class in WordPress, used for retrieving posts, searches, filtering, and countless other operations.

The issue lay in how WP_Query processed the tax_query parameter's terms and field values. When field was set to tt_ids, the terms value was incorporated into SQL queries without proper sanitization.

// Vulnerable code (simplified)
$terms = $tax_query['terms'];
// $terms is included in SQL without sanitization
$sql = "SELECT ... WHERE tt.term_taxonomy_id IN ($terms)";

How the Attack Works

While the vulnerability was difficult to exploit directly through WordPress's core UI, it was attackable through plugins and themes that pass user input to WP_Query:

  1. Identify a plugin that passes user input to WP_Query's tax_query parameter
  2. Set field to tt_ids and inject SQL injection payloads into terms
  3. Extract arbitrary data from the database

Many plugins use WP_Query for search and filtering functionality, creating numerous potential attack entry points.

Real-World Impact

  • All WordPress versions from 3.7 to 5.8.2 were affected (approximately 8 years)
  • The vast majority of WordPress sites worldwide were potentially vulnerable at disclosure
  • Thousands of plugins using WP_Query were indirectly affected
  • While large-scale automated attacks were limited, targeted exploitation was a significant concern
  • WordPress versions 3.7–3.8 were outside automatic security update coverage

Fix and Lessons

Fix: Patched in WordPress 5.8.3. Proper sanitization was added for the terms parameter in WP_Query's tax_query processing. Backport patches were provided for all versions since WordPress 3.7.

Lessons:

  1. Core code isn't immune: A vulnerability lurked in WordPress's core class for 8 years
  2. Indirect impact amplification: Core vulnerabilities cascade to every plugin that uses the affected code
  3. Version updates matter: Older versions may fall outside automatic security update coverage
  4. Input sanitization is non-negotiable: User input passed to query parameters must always be sanitized

Detection with Nyambush

Nyambush detects WordPress versions and cross-references them against CVE databases. When your site runs a version affected by core vulnerabilities like WP_Query's SQL injection, it displays warnings along with the CVSS score.

Even with auto-updates enabled, updates can fail silently. Nyambush's scheduled scans provide continuous monitoring of the actual running version, ensuring you always know your true exposure.

Share this article:Post on X

Is your domain secure?

Run a free scan with Nyambush to check your security risks right now.

Back to articles