XML External Entity (XXE) Injection Affecting wordpress package, versions <5.7.1+dfsg1-1


Severity

Recommended
low

Based on Debian security rating.

Threat Intelligence

Exploit Maturity
Mature
EPSS
2.93% (92nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about XML External Entity (XXE) Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN12-WORDPRESS-1563176
  • published16 Apr 2021
  • disclosed15 Apr 2021

Introduced: 15 Apr 2021

CVE-2021-29447  (opens in a new tab)
CWE-611  (opens in a new tab)

How to fix?

Upgrade Debian:12 wordpress to version 5.7.1+dfsg1-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream wordpress package and not the wordpress package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.

CVSS Scores

version 3.1