CVE-2022-21662: Stored XSS in WordPress
First published: Thu Jan 06 2022(Updated: )
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/wordpress | 5.0.15+dfsg1-0+deb10u1 5.0.19+dfsg1-0+deb10u1 5.7.8+dfsg1-0+deb11u2 6.1.1+dfsg1-1 6.3.1+dfsg1-1 | |
| WordPress WordPress | <5.8.3 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| <5.8.3 | ||
| =9.0 | ||
| =10.0 | ||
| =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
- https://hackerone.com/reports/425342
- https://security-tracker.debian.org/tracker/CVE-2022-21662
- https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
- https://www.debian.org/security/2022/dsa-5039
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
Frequently Asked Questions
What is CVE-2022-21662?
CVE-2022-21662 is a vulnerability in WordPress that allows low-privileged authenticated users to perform stored XSS attacks, potentially impacting high-privileged users.
How does CVE-2022-21662 affect WordPress?
CVE-2022-21662 affects WordPress by allowing low-privileged authenticated users to execute JavaScript and perform stored XSS attacks.
What is the severity of CVE-2022-21662?
The severity of CVE-2022-21662 is rated as high.
Which versions of WordPress are affected by CVE-2022-21662?
WordPress versions up to and excluding 5.8.3 are affected by CVE-2022-21662.
How can I fix CVE-2022-21662 in WordPress?
To fix CVE-2022-21662, update WordPress to version 5.8.3 or newer.
- collector/security-tracker-debian
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/title
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/author
- agent/softwarecombine
- agent/tags
- agent/event
- package-manager/debian
- vendor/wordpress
- canonical/wordpress wordpress
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0