CVE-2022-21662

HIGH EXPLOITED IN THE WILD

WordPress < 5.8.3 - Authenticated Stored Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-21662 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).

Description

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

References (6)

Core 6
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2022/dsa-5039
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html

Scores

CVSS v3 8.0
EPSS 0.1424
EPSS Percentile 94.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2022-08-19
InTheWild.io 2022-08-19
CWE
CWE-79
Status published
Products (4)
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
wordpress/wordpress < 5.8.3
Published Jan 06, 2022
Tracked Since Feb 18, 2026