XXE WordPress Vulnerability Threat Intel Advisory

May 11, 2021
min read
Advisory Type 
Vulnerability Intelligence
Vulnerability Type
Blind XML External Entity Injection 
Vulnerable Application
WordPress Media Library
Affected Platform
< WordPress 5.7.1

Executive Summary

A blind XML External Entity (XXE) injection vulnerability in the WordPress Media Library, tracked as a high severity CVE-2021-29447, allows authenticated users with file upload permissions, to steal files. An attacker can abuse this vulnerability to obtain arbitrary files present in the server and could possibly make server-side request forgery (SSRF) requests from the target website to other network resources depending on the environment.

Technical Details

XML defines custom entities that are then reused throughout the document. Such definitions are stored in DTD files. An XML parser fetches these definitions from a foreign server via URI. An attacker can abuse this to exfiltrate the data present in the victim server.

WordPress uses the getID3 library to obtain metadata from the uploaded media files, in the form of XML. The code base uses the following function to parse the XML: simplexml_load_string ($XMLstring, ‘SimpleXMLElement’, LIBXML_NOENT). LIBXML_NOENT enables External Entities leading to the execution of malicious External Entity definitions hosted on the attacker controlled infrastructure. The problematic code is executed when the ID3 library uses an iXML chunk of wave audio file to parse the metadata. Attackers can upload maliciously crafted WAV files containing the payload to trigger XXE injection.


  • Arbitrary file disclosure affects even WordPress critical files such as wpconfig.php
  • Server-Side Request Forgery (SSRF) allows attackers to make HTTP requests for WordPress installation. It can have an adverse impact based on the network environment.


The issue has been resolved in the latest update of the WordPress version 5.7.1. Users are requested to update to the latest version of WordPress.

No items found.