Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.html | Third Party Advisory VDB Entry |
http://packetstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.html | Exploit Third Party Advisory VDB Entry |
https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/ | Exploit Third Party Advisory |
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh | Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2021/04/msg00017.html | Mailing List Third Party Advisory |
https://wordpress.org/news/category/security/ | Release Notes Vendor Advisory |
https://www.debian.org/security/2021/dsa-4896 | Third Party Advisory |
Configurations
History
27 Oct 2022, 23:06
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/ - Exploit, Third Party Advisory |
13 Sep 2022, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Dec 2021, 20:35
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) http://packetstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.html - Third Party Advisory, VDB Entry | |
References | (MISC) http://packetstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.html - Exploit, Third Party Advisory, VDB Entry |
20 Sep 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 Jun 2021, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Jun 2021, 18:50
Type | Values Removed | Values Added |
---|---|---|
References | (DEBIAN) https://www.debian.org/security/2021/dsa-4896 - Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
23 Apr 2021, 12:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
22 Apr 2021, 14:52
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
References | (CONFIRM) https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh - Third Party Advisory | |
References | (MISC) https://wordpress.org/news/category/security/ - Release Notes, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : 4.0
v3 : 6.5 |
CPE | cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* |
15 Apr 2021, 21:18
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-04-15 21:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-29447
Mitre link : CVE-2021-29447
CVE.ORG link : CVE-2021-29447
JSON object : View
Products Affected
wordpress
- wordpress
debian
- debian_linux
CWE
CWE-611
Improper Restriction of XML External Entity Reference