CVE-2022-21661: 
NixOS vulnerability analysis and mitigation

CVE-2022-21661 is a SQL injection vulnerability discovered in WordPress, affecting versions prior to 5.8.3. The vulnerability exists due to improper sanitization in WP_Query, where SQL injection is possible through plugins or themes that use it in a certain way. The issue was disclosed and patched in January 2022, affecting WordPress installations from version 3.7 to 5.8.2 (WordPress News, GitHub Advisory).

The vulnerability stems from the lack of proper validation of user-supplied strings before using them to construct SQL queries within the WP_Query class. The issue has been assigned a CVSS score of 7.5 (High), with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that it can be exploited remotely without requiring privileges or user interaction (ZDI Advisory).

This vulnerability allows remote attackers to disclose sensitive information on affected WordPress installations. An attacker can leverage this vulnerability to disclose stored credentials, potentially leading to further system compromise (ZDI Advisory).

The vulnerability has been patched in WordPress version 5.8.3. All affected versions, going back to 3.7.37, have received security updates. WordPress strongly recommends keeping auto-updates enabled as there are no known workarounds for this vulnerability (WordPress News).

The vulnerability was responsibly disclosed through the Trend Micro Zero Day Initiative program. Multiple security researchers and organizations were involved in identifying and reporting the issue, including researchers from GiaoHangTietKiem JSC. Various Linux distributions including Debian and Fedora quickly released security advisories and patches for their packaged versions of WordPress (Debian Security, Fedora Update).