XML External Entity (XXE) Injection Affecting wordpress package, versions <5.7.1+dfsg1-1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIANUNSTABLE-WORDPRESS-1247793
- published 16 Apr 2021
- disclosed 15 Apr 2021
Introduced: 15 Apr 2021
CVE-2021-29447 Open this link in a new tabHow to fix?
Upgrade Debian:unstable wordpress to version 5.7.1+dfsg1-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream wordpress package and not the wordpress package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
References
- https://security-tracker.debian.org/tracker/CVE-2021-29447
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
- https://www.debian.org/security/2021/dsa-4896
- http://packetstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.html
- http://packetstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.html
- https://wordpress.org/news/category/security/
- https://lists.debian.org/debian-lts-announce/2021/04/msg00017.html
- https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/
- https://www.exploit-db.com/exploits/50304