Wiz
Vulnerability DatabaseCVE-2022-21662

CVE-2022-21662
NixOS vulnerability analysis and mitigation

Overview

CVE-2022-21662 is a Stored Cross-Site Scripting (XSS) vulnerability affecting WordPress versions up to and including 5.8.2. The vulnerability was discovered by Karim El Ouerghemmi and Simon Scannell of SonarSource and was disclosed in January 2022. The issue allows low-privileged authenticated users (like authors) to execute JavaScript through stored XSS attacks via post slugs, which can affect high-privileged users including administrators (SonarSource Blog, WordPress Advisory).

Technical details

The vulnerability exists in the WordPress core's handling of post slugs. The issue occurs in the truncatepostslug() function when processing slugs longer than 200 characters containing URL-encoded characters. The function uses urldecode() to process the slug but then uses utf8uri_encode() for re-encoding, which only encodes Unicode characters, leaving potential XSS payloads unencoded. This discrepancy between decoding and encoding functions creates the vulnerability. The CVSS score varies between sources, with NVD rating it at 5.4 (Medium) and GitHub rating it at 8.0 (High) (NVD, SonarSource Blog).

Impact

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers, including administrators. This can lead to privilege escalation, account hijacking, and potential server compromise through administrative actions. When combined with certain plugins like bbPress (versions < 2.6.0), the vulnerability could be exploited without any privileged account, making it particularly dangerous for public-facing WordPress installations (SonarSource Blog).

Mitigation and workarounds

The vulnerability was patched in WordPress version 5.8.3, with security backports provided for all versions since 3.7.37. The fix modifies the utf8uriencode() function by adding an optional parameter $encodeasciicharacters which, when set to true, ensures proper encoding of non-alphanumeric characters using rawurlencode(). Users are strongly recommended to keep auto-updates enabled and upgrade to the patched versions (WordPress Release, GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related NixOS vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-48606HIGH7.8
  • NixOSNixOS
  • android
NoNoDec 08, 2025
CVE-2025-48625HIGH7
  • NixOSNixOS
  • android
NoNoDec 08, 2025
CVE-2025-48608MEDIUM5.5
  • NixOSNixOS
  • android
NoNoDec 08, 2025
CVE-2025-48569MEDIUM5.5
  • NixOSNixOS
  • android
NoNoDec 08, 2025
CVE-2025-65799MEDIUM4.3
  • NixOSNixOS
  • memos
NoYesDec 08, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo