WordPress XXE Vulnerability | CVE-2021–29447 TryHackMe
We covered a wordpress XXE vulnerability CVE-2021–29447 that allows for sensitive files disclosure and server-side request forgery (SSRF). We exploited this WordPress vulnerability by generating WAV payload and uploading it to the compromised WordPress website. This was part of TryHackMe WordPress: CVE-2021–29447 Room.
Highlights
What is XXE vulnerability
An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.
WordPress CVE-2021–29447 Impact
- Arbitrary File Disclosure: The contents of any file on the host’s file system could be retrieved, e.g. wp-config.php which contains sensitive data such as database credentials.
- Server-Side Request Forgery (SSRF): HTTP requests could be made on behalf of the WordPress installation. Depending on the environment, this can have a serious impact.
References
- WordPress 5.7 — ‘Media Library’ XML External Entity Injection (XXE) (Authenticated): Exploit-DB
- WordPress 5.6–5.7 — Authenticated (Author+) XXE (CVE-2021–29447): Github
- WordPress 5.6–5.7 — Authenticated XXE Within the Media Library Affecting PHP 8: wpscan
Room Answers
Room answers can be found here.
