CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
74.6%
WordPress is a free and open-source content management system written in
PHP and paired with a MariaDB database. On a multisite, users with Super
Admin role can bypass explicit/additional hardening under certain
conditions through object injection. This has been patched in WordPress
version 5.8.3. Older affected versions are also fixed via security release,
that go back till 3.7.37. We strongly recommend that you keep auto-updates
enabled. There are no known workarounds for this issue.
github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
hackerone.com/reports/541469
launchpad.net/bugs/cve/CVE-2022-21663
nvd.nist.gov/vuln/detail/CVE-2022-21663
security-tracker.debian.org/tracker/CVE-2022-21663
wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
www.cve.org/CVERecord?id=CVE-2022-21663
www.debian.org/security/2022/dsa-5039
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
74.6%