WordPress is one of the most popular content management systems (CMS) in the world. Many companies and organizations use it to create and manage their websites easily, thanks to its open-source nature, huge plugin ecosystem, and simple interface. But with great popularity comes a big challenge: security. In this long read, we’ll explore a high-impact security issue, CVE-2022-21663, that affected WordPress multisite installations—and explain why you should patch your site without delay.
What is CVE-2022-21663?
CVE-2022-21663 is a critical vulnerability in WordPress affecting all multisite installations before version 5.8.3 (with security fixes also backported to 3.7.37 and newer). This vulnerability allows users with Super Admin privileges to bypass some of WordPress’s extra security hardening—under certain conditions—through something called object injection.
While the bug does require the attacker to have Super Admin privileges (the highest level of control in multisite setups), the real trouble comes if attacker gains Super Admin access—via phishing, plugin bugs, or insider threats—they could exploit this bug to disable security hardening and potentially compromise all the sites on the network.
Object Injection: A Simple Explanation
Object injection is a kind of security vulnerability that usually happens in PHP when untrusted user input is passed to the unserialize() function. If not carefully handled, a hacker can “inject” a serialized object, causing PHP to execute malicious code or change key security settings.
In plain English: it’s like giving someone the keys to your car, but they replace the engine with a bomb before handing it back.
Here’s a simplified scenario for this vulnerability
1. A user with Super Admin access finds a part of the WordPress codebase that unserializes data from user input (or from a compromised source).
2. They craft malicious input with a serialized PHP object containing “magic methods” (__wakeup, __destruct, etc.).
3. When PHP unserializes the input, these magic methods are called, which can allow code execution, permission escalation, turning off hardening, or even site takeover.
For CVE-2022-21663, this risk is that Super Admins could disable parts of WordPress’s built-in protections by abusing object injection.
Note: There are no known workarounds. The only real fix is updating WordPress to a patched version.
Digging Into The Patch
This vulnerability was patched in WordPress 5.8.3 and in concurrent security releases for all branches back to 3.7.37. The patch makes sure that untrusted data is never passed to the unserialize function in unsafe ways, and extra validation is applied where necessary.
Before
// Assume $input is user data
$data = unserialize($input); // No validation! Risky!
After patch
// Sanitization added
if (is_string($input)) {
$data = maybe_safe_unserialize($input);
// maybe_safe_unserialize ensures only safe objects get processed
}
Warning: The above is a simplified example for educational purposes—you won’t find this exact code in WordPress!
Why Should You Care?
- If you’re running WordPress multisite, and an attacker gains Super Admin access, they could bypass extra security hardening.
What Should You Do?
- Update WordPress immediately, at least to 5.8.3 or any patched version for your branch (e.g., 4.9.20, 5.7.5, etc.).
- Keep auto-updates enabled—this is the best defense against both known and future vulnerabilities.
Read the official advisory:
- WordPress Security Release 5.8.3
- CVE page at MITRE
Reference Links
- WordPress Security Release Announcement
- CVE-2022-21663 at CVE Details
- WordPress official documentation
Conclusion
CVE-2022-21663 is a reminder that even mature, well-maintained projects like WordPress can be susceptible to security bugs—sometimes, in areas you least expect. If you run a WordPress multisite network, this is one patch you cannot skip. Make sure your sites are protected!
Timeline
Published on: 01/06/2022 23:15:00 UTC
Last modified on: 07/28/2022 16:15:00 UTC