CVE-2021-29447

Name
CVE-2021-29447
Description
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Release Notes https://wordpress.org/news/category/security/
Third Party Advisory https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
Mailing List https://lists.debian.org/debian-lts-announce/2021/04/msg00017.html
DEBIAN https://www.debian.org/security/2021/dsa-4896
MISC http://packetstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.html
MISC http://packetstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* wordpress >= 5.6.0 < 5.7.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status