Researchers have found a serious XXE vulnerability affecting the WordPress platform. Exploiting this flaw could allow an attacker to steal files from target sites. WordPress has fixed the bug with the latest version. Thus, all WordPress admins should ensure updating to the latest WordPress release at the earliest.
WordPress XXE Vulnerability
Reportedly, the security team from SonarSource has found an XML External Entity (XXE) injection vulnerability in WordPress. Exploiting the bug could let an attacker pilfer data by gaining remote access to the target site.
As elaborated in their blog post, the bug simply required the attacker to have an authenticated access to the target site. Once achieved, the attacker could easily retrieve arbitrary files from the server or perform server-side request forgery (SSRF) attacks.
However, exploiting this vulnerability, CVE-2021-29447, had some limitations. At first, it required the attacker to have file upload permissions – like, the author role – on the target website. Although, the researchers believe that an adversary could combine this bug with other flaws to perform the attack even with lower privileges.
Secondly, for successful exploitation, the target WordPress site should specifically run on PHP 8.
Researchers have shared the following video as the PoC.
WordPress Fixed The Flaw With Another Bug
Upon discovering the bug, the researchers notified the WordPress team of the flaw in WordPress 5.7.
Consequently, the developers address the flaw with the release of WordPress 5.7.1.
With this release, they have addressed another bug – a data exposure vulnerability within the REST API. They have acknowledged Mikael Korpela for reporting this flaw.
In addition to the two security fixes, WordPress has also addressed 24 other bugs with the latest release.
Therefore, all users should ensure updating their sites to WordPress 5.7.1 at the earliest.
Since the bugs also affected the previous WordPress versions, and that many users haven’t updated to WordPress 5.7, they have also updated all versions since WordPress 4.7 with the security fixes.