Researchers provide technical details of bug that was fixed in latest security release

WordPress XXE injection vulnerability could allow attackers to remotely steal host files

An XML External Entity (XXE) injection bug in WordPress could allow attackers to remotely steal a victim’s files, researchers have revealed.

Security researchers at SonarSource who discovered the vulnerability published a blog post today (April 27) that provides technical details on the now-patched bug.

Read more of the latest WordPress vulnerability news

An XXE vulnerability allows an attacker to interfere with an application’s processing of XML data. This can enable them to view files on the application server filesystem and interact with any back-end or external systems that the application itself can access.

In this case, the XXE bug was present in WordPress versions 5.7 and below, and could allow for remote arbitrary file disclosure and server-side request forgery (SSRF).


The blog post caveats that this issue is only present in systems running affected WordPress installations on PHP 8.

Additionally, the permissions to upload media files are needed,” SonarSource researchers explained in the blog post.

READ MORE WordPress 5.7 offers ‘one-click’ HTTP to HTTPS site upgrade feature

“On a standard WordPress installation this translates to having author privileges. However, combined with another vulnerability or a plugin allowing visitors to upload media files, it could be exploited with lower privileges.”

The researchers disclosed the code vulnerability to the WordPress security team, who fixed it in the latest version (5.7.1) and assigned CVE-2021-29447.


WordPress, the world’s most popular content management software, powers around 40% of all websites in use, making it a clear target for malicious actors.

Fortunately, thanks to ongoing security work from the maintainers of the open source CMS framework, many sites running WordPress will now auto-update.

Web admins who do not have this feature enabled can update via their WordPress admin dashboard.

YOU MAY ALSO LIKE WordPress security flaws: 800,000 sites running NextGen Gallery plugin potentially vulnerable to pwnage