|Blind XML External Entity [XXE] Injection
|Wordpress Media Library [Media Uploader]
|< Wordpress 5.7.1
Executive SummaryA blind XML External Entity (XXE) injection vulnerability in the Wordpress Media Library, tracked as a high severity CVE-2021-29447, allows authenticated users with file upload permissions, to steal files. An attacker can abuse this vulnerability to obtain arbitrary files present in the server and could possibly make server-side request forgery (SSRF) requests from the target website to other network resources depending on the environment.
Technical DetailsXML defines custom entities that are then reused throughout the document. Such definitions are stored in DTD files. An XML parser fetches these definitions from a foreign server via URI. An attacker can abuse this to exfiltrate the data present in the victim server. Wordpress uses the getID3 library to obtain metadata from the uploaded media files, in the form of XML. The code base uses the following function to parse the XML: simplexml_load_string ($XMLstring, 'SimpleXMLElement', LIBXML_NOENT). LIBXML_NOENT enables External Entities leading to the execution of malicious External Entity definitions hosted on the attacker controlled infrastructure. The problematic code is executed when the ID3 library uses an iXML chunk of wave audio file to parse the metadata. Attackers can upload maliciously crafted WAV files containing the payload to trigger XXE injection.
- Arbitrary file disclosure affects even Wordpress critical files such as wpconfig.php
- Server-Side Request Forgery (SSRF) allows attackers to make HTTP requests for Wordpress installation. It can have an adverse impact based on the network environment.