CVE-2021-29447
Summary
| CVE | CVE-2021-29447 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-04-15 21:15:00 UTC |
|---|
| Updated | 2022-10-27 23:06:00 UTC |
|---|
| Description | Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| [SECURITY] [DLA 2630-1] wordpress security update |
MLIST |
lists.debian.org |
|
| Debian -- Security Information -- DSA-4896-1 wordpress |
DEBIAN |
www.debian.org |
|
| News – Security – WordPress.org |
MISC |
wordpress.org |
|
| WordPress 5.7 XXE Vulnerability |
MISC |
blog.sonarsource.com |
|
| WordPress: Authenticated XXE attack when installation is running PHP 8 · Advisory · WordPress/wordpress-develop · GitHub |
CONFIRM |
github.com |
|
| WordPress 5.7 Media Library XML Injection ≈ Packet Storm |
MISC |
packetstormsecurity.com |
|
| XML External Entity Via MP3 File Upload On WordPress ≈ Packet Storm |
MISC |
packetstormsecurity.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 154095 WordPress XXE Attack due to XML Parsing Issue in Media Library
- 178554 Debian Security Update for wordpress (DLA 2630-1)
- 178560 Debian Security Update for wordpress (DSA 4896-1)
- 180298 Debian Security Update for wordpress (CVE-2021-29447)
