SQL Injection in WordPress Core: CVE-2022-21661

In January 2022, a critical vulnerability was discovered in the WordPress core that allowed attackers to perform SQL injection attacks. Dubbed CVE-2022-21661, this vulnerability affects all versions of WordPress and could potentially allow attackers to take control of a WordPress website and its database.

CVE-2022-21661-WP-Query-SQL-Injection

As you might already know, WordPress has recently been exposed to a major SQL Injection vulnerability in its core filesystem. In other words, this issue affects anyone and everyone using WordPress all the way back to version 3.7. Updating is mandatory!

If you’re unsure, the safest version that prevents this attack is WordPress 5.8.3 – if you don’t know how to update WordPress, you can always ask your hosting provider to help you. The scale of this vulnerability is severe enough that you’ll find plenty of help to secure your blog.

So, what happened?

WordPress briefly mentioned the following in their announcement, “Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a SQL injection vulnerability in WP_Query.”.

GITHUB COMMIT THAT BOTH CONFIRMS THE BUG AND FIXES IT

One of the authors of the find – ngocnb – has just published a post-mortem for this vulnerability.

His post is written in Vietnamese, so you will have to translate it yourself.

Because of how this attack is worded – SQL Injection in WordPress Core – it can easily be misinterpreted. And the author confirms this. Here is a rough translation:

Although the SQL injection originates from the WordPress Core filesystem, there is no way to trigger the attack by itself. Not on a plain WordPress site, at least. As such, you need to look for inconsistencies in Themes and Plugins. For example, if the Theme or Plugin is using WP_Query to call the Database and pass information to it.

He also showcases this with a simple example, if a Theme or Plugin is doing a POST call such as this:

new WP_Query(json_decode($_POST['query_variables']))

You could pass the payload in the form of browser action.

Here’s a sample that the author provided:

{"tax_query":{"0":{"field":"term_taxonomy_id","terms":["<SQL Inject Code>"]}}} 

It seems that to see the actual SQL error, debug mode must be enabled on the WordPress site. You can test this yourself by creating a test environment and playing around with the vulnerability in a local environment.

Is your WordPress site safe from this attack?

So, naturally, the first question on everyone’s mind is – is my site safe? As the author pointed out, while the attack stems from Core (now patched) – it is mostly themes and plugins one should be worried about.

As such, my advice is to double-check all your active plugins and themes you’re using and ensure that they have been patched by the developer.

Understandably, this is going to be harder for some because of inactivity.

Some plugins go back years and haven’t been updated since. Likewise, a lot of themes have been left to rot by their original developers. So, unless you’re 100% sure that all your resources have been patched, I would begin to look for alternatives.