Cyber Resilience

CVE-2021-29447

HighPublic PoC

Published: 15 April 2021

Published
15 April 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.9078 99.6th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-29447 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Debian Debian Linux. Its CVSS base score is 7.1 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8.…

more

Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wordpress
wordpress
5.6.0 — 5.7.1
debian
debian linux
10.0, 9.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-611

Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.

addresses: CWE-611

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

References