XXE Wordpress Vulnerability Threat Intel Advisory

Published 10 May 2021

  • Blind XML External Entity (XXE) injection vulnerability in Wordpress allows authenticated users to steal files
  • It is tracked as a high severity CVE-2021-29447

Share this Threat Intel:

Advisory Type 
Vulnerability Intelligence
Vulnerability Type
Blind XML External Entity [XXE] Injection 
Vulnerable Application
WordPress Media Library [Media Uploader]
Affected Platform
< WordPress 5.7.1

Executive Summary

A blind XML External Entity (XXE) injection vulnerability in the WordPress Media Library, tracked as a high severity CVE-2021-29447, allows authenticated users with file upload permissions, to steal files. An attacker can abuse this vulnerability to obtain arbitrary files present in the server and could possibly make server-side request forgery (SSRF) requests from the target website to other network resources depending on the environment.

Technical Details

XML defines custom entities that are then reused throughout the document. Such definitions are stored in DTD files. An XML parser fetches these definitions from a foreign server via URI. An attacker can abuse this to exfiltrate the data present in the victim server.

WordPress uses the getID3 library to obtain metadata from the uploaded media files, in the form of XML. The code base uses the following function to parse the XML: simplexml_load_string ($XMLstring, ‘SimpleXMLElement’, LIBXML_NOENT). LIBXML_NOENT enables External Entities leading to the execution of malicious External Entity definitions hosted on the attacker controlled infrastructure. The problematic code is executed when the ID3 library uses an iXML chunk of wave audio file to parse the metadata. Attackers can upload maliciously crafted WAV files containing the payload to trigger XXE injection.


  • Arbitrary file disclosure affects even WordPress critical files such as wpconfig.php
  • Server Side Request Forgery (SSRF) allows attackers to make HTTP requests for WordPress installation. It can have an adverse impact based on the network environment.


The issue has been resolved in the latest update of the WordPress version 5.7.1. Users are requested to update to the latest version of WordPress.

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.