Security News > 2021 > April > WordPress 5.7.1 Patches XXE Flaw in PHP 8

WordPress 5.7.1 Patches XXE Flaw in PHP 8
2021-04-19 20:03

WordPress has released version 5.7.1 of its popular content management system, which brings more than 25 bug fixes, including patches for two security vulnerabilities.

One of the patched security flaws is an XML External Entity vulnerability in the ID3 library in PHP 8, which is used by WordPress.

Designed to parse ID3 tags from MP3 audio files, the library did not explicitly disable XML entities in PHP 8, which rendered WordPress 5.7 and older versions vulnerable to XXE attacks via MP3 file uploads.

Only WordPress deployments that use PHP 8 are affected, so the vast majority of websites are safe from exploitation attempts of this vulnerability.

The issue, WordPress explains, exists in a block in the WordPress editor, which could be exploited by attackers to expose password-protected posts and pages.

In an advisory on Friday, the Cybersecurity and Infrastructure Security Agency warned that the vulnerabilities addressed in WordPress 5.7.1 affect versions 4.7 to 5.7 and that attackers able to successfully exploit one of these could take control of an affected website.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/0Y5RHjmXLFA/wordpress-571-patches-xxe-flaw-php-8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
PHP 9 1 43 115 124 283
Wordpress 7 2 93 44 18 157