CVE-2022-21663 WordPress is a free and open-source content management system written in PHP with a MariaDB database. Super Admin users can bypass hardening through object injection.

Super Admin users can exploit this to inject malicious code into the WordPress configuration. This can lead to cross-site scripting (XSS) attacks, sensitive data exposure, and other issues. In order to exploit this issue, a site administrator with Super Admin role is required. Patched versions are mentioned above. If you have any of these WordPress installations and are worried about the patch being rolled out soon, then you can try the following workaround to harden your WordPress installation. It may not be a permanent solution, but it will help you for a short time. Accessing the WordPress admin will not prevent you from being exploited. You should always be careful when accessing the admin panel of WordPress.

Disable Super Admin Access

Disable XML-RPC

To prevent an attacker from exploiting this vulnerability, you should remove the XML-RPC interface from your installation. To do this, edit the wp-config.php file and add the following line to the configuration file:
define( 'DISALLOW_XMLPRAYS' , true );
This will prevent anyone from accessing the XML-RPC interface that is vulnerable to CVE-2022-21663.

Disable Pingbacks & Trackbacks in WordPress

To prevent exploitation, you can disable the Pingback and Trackback options.
You should also be careful when accessing the admin panel of WordPress.

Disable Remote WordPress Remote Administration (RWA) feature

WordPress RWA is enabled by default. However, some environments may not have proper network access and are unable to connect with the WordPress server. To disable remote WordPress RWA, you can add the following code to your wp-config.php file.
add_filter('remote_login', '__return_false');

This code disables remote WordPress RWA for the current site only. If you want to disable it for all sites on your website, then use this code instead:
add_filter('remote_login', '__return_false');

Disable automatic updates

If you have WordPress installed, then the following steps will prevent automatic updates from being applied on your website. You can still update manually if necessary.
1) Login to your WordPress admin account and go to the Plugins section.
2) Search for "Automatic Updates" in the search bar and disable it by clicking on the Disable button at its top.
3) Go back to the Plugins section, find "WordFence Security", and disable it as well.

Timeline

Published on: 01/06/2022 23:15:00 UTC
Last modified on: 07/28/2022 16:15:00 UTC

References

• https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
• https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
• https://www.debian.org/security/2022/dsa-5039
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/
• https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html
• https://blog.sonarsource.com/wordpress-object-injection-vulnerability/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21663