CVE-2022-21661 Overview
CVE-2022-21661 is a SQL Injection vulnerability in WordPress, the widely-used open-source content management system. Due to improper sanitization in the WP_Query class, specifically within the WP_Tax_Query component, attackers can potentially inject malicious SQL commands through plugins or themes that utilize these functions in vulnerable ways. This vulnerability allows unauthorized access to sensitive database information and poses a significant risk to WordPress installations worldwide.
Critical Impact
This SQL injection vulnerability enables unauthenticated attackers to extract sensitive data from WordPress databases through improperly sanitized taxonomy queries, potentially exposing user credentials, private content, and configuration data.
Affected Products
- WordPress versions prior to 5.8.3 (patched versions available back to 3.7.37)
- Fedora 34 and 35
- Debian Linux 9.0, 10.0, and 11.0
Discovery Timeline
- January 6, 2022 - CVE-2022-21661 published to NVD
- January 2022 - WordPress releases security patch in version 5.8.3
- August 19, 2025 - Last updated in NVD database
Technical Details for CVE-2022-21661
Vulnerability Analysis
This SQL Injection vulnerability exists within the WordPress WP_Tax_Query class, which is responsible for handling taxonomy-related database queries. The root issue stems from insufficient input validation when processing the terms parameter in taxonomy queries. When plugins or themes pass user-controlled data to WP_Query with specific taxonomy parameters, the application fails to properly sanitize integer-type field values before incorporating them into SQL statements.
The vulnerability can be exploited remotely without authentication, allowing attackers to read arbitrary data from the WordPress database. While the impact is limited to data confidentiality (no direct write or execute capabilities), attackers could extract sensitive information including user credentials, private posts, and configuration data.
Root Cause
The vulnerability originates in src/wp-includes/class-wp-tax-query.php where the terms array was being processed uniformly regardless of the query field type. The original code treated all term values the same way, using array_unique() without proper type validation. When the field parameter was set to values other than slug or name (such as term_id or term_taxonomy_id), the terms should be validated as integers but were instead passed through without sanitization, allowing SQL injection payloads to be inserted.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft malicious requests to WordPress installations where plugins or themes expose WP_Query functionality with controllable taxonomy parameters. By injecting SQL syntax into the terms parameter when targeting integer-type fields, attackers can manipulate the underlying database queries to extract unauthorized information.
return;
}
- $query['terms'] = array_unique( (array) $query['terms'] );
+ if ( 'slug' === $query['field'] || 'name' === $query['field'] ) {
+ $query['terms'] = array_unique( (array) $query['terms'] );
+ } else {
+ $query['terms'] = wp_parse_id_list( $query['terms'] );
+ }
if ( is_taxonomy_hierarchical( $query['taxonomy'] ) && $query['include_children'] ) {
$this->transform_query( $query, 'term_id' );
Source: GitHub Commit for WordPress Fix
Detection Methods for CVE-2022-21661
Indicators of Compromise
- Unusual database query patterns in web server logs containing SQL injection syntax (UNION SELECT, etc.)
- Unexpected outbound data transfers from the database server
- Error log entries indicating malformed SQL queries in taxonomy-related functions
- Access log entries with abnormally long query strings targeting WordPress endpoints
Detection Strategies
- Monitor web application firewall (WAF) logs for SQL injection patterns targeting WordPress taxonomy parameters
- Implement database activity monitoring to detect anomalous query patterns from the WordPress application
- Review access logs for requests containing encoded SQL injection payloads in the tax_query parameter
- Deploy intrusion detection signatures for known CVE-2022-21661 exploitation attempts
Monitoring Recommendations
- Enable WordPress debug logging and monitor for database errors in taxonomy queries
- Configure SIEM rules to alert on SQL injection signatures in HTTP request parameters
- Monitor database query execution times for unusually long-running queries that may indicate data exfiltration
- Set up file integrity monitoring on WordPress core files to detect unauthorized modifications
How to Mitigate CVE-2022-21661
Immediate Actions Required
- Update WordPress to version 5.8.3 or later immediately
- Enable WordPress automatic updates to ensure timely security patch deployment
- Audit installed plugins and themes for direct usage of WP_Query with user-controlled taxonomy parameters
- Implement a web application firewall with SQL injection protection rules
Patch Information
WordPress has released security patches addressing this vulnerability in version 5.8.3. Security fixes have also been backported to all supported branches going back to version 3.7.37, ensuring broad coverage for legacy installations. The fix can be reviewed in the GitHub Commit for WordPress Fix. According to the WordPress Security Release 5.8.3, WordPress strongly recommends keeping auto-updates enabled.
Additional security advisories have been published by Debian Security Advisory DSA-5039 and Fedora Package Announcement for their respective package repositories.
Workarounds
- There are no known workarounds for this vulnerability as stated in the official advisory
- Deploy a web application firewall with strict SQL injection filtering as a temporary measure
- Restrict network access to the WordPress administration and REST API endpoints
- Consider temporarily disabling plugins that heavily utilize taxonomy queries until updates can be applied
# Configuration example - Enable WordPress automatic updates
# Add to wp-config.php
define( 'WP_AUTO_UPDATE_CORE', true );
# Verify current WordPress version
wp core version
# Update WordPress core via WP-CLI
wp core update
# Verify the update was successful
wp core verify-checksums
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
