XXE WordPress Vulnerability Threat Intel Advisory

Executive Summary

A blind XML External Entity (XXE) injection vulnerability in the WordPress Media Library, tracked as a high severity CVE-2021-29447, allows authenticated users with file upload permissions, to steal files. An attacker can abuse this vulnerability to obtain arbitrary files present in the server and could possibly make server-side request forgery (SSRF) requests from the target website to other network resources depending on the environment.

Technical Details

XML defines custom entities that are then reused throughout the document. Such definitions are stored in DTD files. An XML parser fetches these definitions from a foreign server via URI. An attacker can abuse this to exfiltrate the data present in the victim server.

WordPress uses the getID3 library to obtain metadata from the uploaded media files, in the form of XML. The code base uses the following function to parse the XML: simplexml_load_string ($XMLstring, ‘SimpleXMLElement’, LIBXML_NOENT). LIBXML_NOENT enables External Entities leading to the execution of malicious External Entity definitions hosted on the attacker controlled infrastructure. The problematic code is executed when the ID3 library uses an iXML chunk of wave audio file to parse the metadata. Attackers can upload maliciously crafted WAV files containing the payload to trigger XXE injection.

Impact

• Arbitrary file disclosure affects even WordPress critical files such as wpconfig.php
• Server-Side Request Forgery (SSRF) allows attackers to make HTTP requests for WordPress installation. It can have an adverse impact based on the network environment.

Mitigations

The issue has been resolved in the latest update of the WordPress version 5.7.1. Users are requested to update to the latest version of WordPress.