XXE Wordpress Vulnerability Threat Intel Advisory

A blind XML External Entity (XXE) injection vulnerability in Wordpress, tracked as CVE-2021-29447 allows authenticated users to steal files.
Updated on
April 19, 2023
Published on
May 10, 2021
Subscribe to the latest industry news, threats and resources.
Advisory Type 
Vulnerability Intelligence
Vulnerability Type
Blind XML External Entity [XXE] Injection 
Vulnerable Application
Wordpress Media Library [Media Uploader]
Affected Platform
< Wordpress 5.7.1

Executive Summary

A blind XML External Entity (XXE) injection vulnerability in the Wordpress Media Library, tracked as a high severity CVE-2021-29447, allows authenticated users with file upload permissions, to steal files. An attacker can abuse this vulnerability to obtain arbitrary files present in the server and could possibly make server-side request forgery (SSRF) requests from the target website to other network resources depending on the environment.

Technical Details

XML defines custom entities that are then reused throughout the document. Such definitions are stored in DTD files. An XML parser fetches these definitions from a foreign server via URI. An attacker can abuse this to exfiltrate the data present in the victim server. Wordpress uses the getID3 library to obtain metadata from the uploaded media files, in the form of XML. The code base uses the following function to parse the XML: simplexml_load_string ($XMLstring, 'SimpleXMLElement', LIBXML_NOENT). LIBXML_NOENT enables External Entities leading to the execution of malicious External Entity definitions hosted on the attacker controlled infrastructure. The problematic code is executed when the ID3 library uses an iXML chunk of wave audio file to parse the metadata. Attackers can upload maliciously crafted WAV files containing the payload to trigger XXE injection.


  • Arbitrary file disclosure affects even Wordpress critical files such as wpconfig.php
  • Server-Side Request Forgery (SSRF) allows attackers to make HTTP requests for Wordpress installation. It can have an adverse impact based on the network environment.


The issue has been resolved in the latest update of the Wordpress version 5.7.1. Users are requested to update to the latest version of Wordpress.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations