Nyambush
CVSS 8.0High

CVE-2022-21662: Stored XSS via Post Slugs

Overview

  • CVE: CVE-2022-21662
  • Affected Versions: WordPress 3.7 to 5.8.2
  • CVSS: 8.0 (High)
  • Authentication: Author role required
  • Type: Stored Cross-Site Scripting (XSS)

In January 2022, a Stored XSS vulnerability was discovered in WordPress's post slug (URL slug) handling. It had gone undetected for over 3 years and even affected wordpress.org itself.

What Happened

WordPress allows users to set post URL slugs (e.g., my-blog-post). These slugs are normally sanitized and converted to URL-safe strings.

However, when a user with Author privileges manipulated the slug value, there was a code path under specific conditions where JavaScript code could be stored and executed.

Key issues:

  • The slug value was output without escaping in certain admin panel locations
  • When an Author-level user created a malicious slug, XSS would fire when an administrator viewed that post
  • Being Stored (persistent) XSS, it executed every time an admin opened the page

How the Attack Works

  1. Create a malicious slug: An Author-level user creates a post with an XSS payload embedded in the slug

  2. Wait for admin to view: When an administrator views the post list or edit screen containing the malicious post, the XSS fires

  3. Admin privilege hijacking: The XSS steals the administrator's session cookie or performs arbitrary actions with admin privileges:

    • Create new administrator accounts
    • Install plugins (containing backdoors)
    • Modify site settings
    • Reset other users' passwords

  4. Persistent backdoor: Install backdoors in plugin or theme files, maintaining access even if the XSS slug is fixed

Real-World Impact

  • All WordPress versions from 3.7 to 5.8.2 were affected (approximately 8 years of versions)
  • Went undetected for over 3 years
  • wordpress.org itself runs on WordPress and was potentially affected
  • In multisite environments, regular users often have Author privileges, expanding the impact
  • Blog platforms and media sites that accept external writers were particularly at risk

Fix and Lessons

Fix: Patched in WordPress 5.8.3. Proper output escaping was added for slug values. The fix was backported to all supported versions back to WordPress 3.7.

Lessons:

  1. Stored XSS severity: Once saved, it executes on every page view
  2. Privilege escalation vector: XSS isn't "just script execution" — it directly leads to admin account takeover
  3. Long-term dormancy: Over 3 years undetected — vulnerabilities can hide in previously reviewed code
  4. Output escaping is essential: Even trusted data must be escaped when rendered as HTML
  5. Principle of least privilege: Even Authors can attack administrators — grant permissions carefully

Detection with Nyambush

Nyambush detects WordPress versions and warns when a version containing this vulnerability is in use. Stored XSS vulnerabilities are particularly valuable to attackers, making version updates a high priority.

Set up scheduled scans to continuously monitor your WordPress version and reduce the risk of vulnerabilities that may lie dormant for extended periods.

Share this article:Post on X

Is your domain secure?

Run a free scan with Nyambush to check your security risks right now.

Back to articles