# WordPress XXE Vulnerability : CVE-2021-29447

A user with the ability to upload a malicious WAVE file (like an Author) can exploit an XML parsing issue in the Media Library in WordPress leading to XXE attacks and that could lead to file system disclosure

#  Vulnerable code

XML External Entity (XXE) Vulnerabilities

XML offers the possibility to define custom entities that can be reused throughout a document. This can, for example, be used to avoid duplication. 
The following code defines an entity myEntity for further usage.


The value of defined entities can also stem from an external source referenced by a URI. In this case, they are called external entities:


XXE attacks misuse this feature. if an attacker would supply file:///var/www/wp-config.php as the URI, he would successfully leak sensitive file content. and the attack are possible when a loosely configured XML parser is run on user-controlled content. 

XXE in WordPress

WordPress has a Media Library that enables authenticated users to upload media files that can then be used in their blog posts. 
To extract meta information from these media files, e.g., artist name or title, WordPress uses the getID3 library. Some of this 
metadata is parsed in XML form. Here, it was reported a possible XXE vulnerability (line 730).


libxml_disable_entity_loader(true) function was deprecated because PHP 8 versions use Libxml2 v2.9+ which disables external entity fetching by default.

# Exploitation

Create a malicious WAVE file using following command


Create a dtd file and then add this code, this will allow you to retrieved the wp-config.php which contains sensitive data such as database credentials.


Now launch an http server 


Upload the malicious .wav to the WordPress application. Once you've uploaded the .wav file, you should see the following request in your HTTP server logs. Note, in order to exfiltrate data effectively use Zlib for decoding. 


After that you will get the database credentials, login to the database and try to find the administrator 


corp-001 is the administrator crack his password hash and then login an as administrator


# Fix code

WordPress patched the vulnerability in version 5.7.1 by reintroducing the call to the libxml_disable_entity_loader() function that was deprecated in PHP 8. To avoid PHP deprecation warnings, the PHP error suppressing operator @ was added to the call.


# Resources:
<br />
<br />
<br />
<br />
<br />
<br />