WordPress 5.7.1 Patches XXE Flaw in PHP 8

2021-04-19 20:03

WordPress has released version 5.7.1 of its popular content management system, which brings more than 25 bug fixes, including patches for two security vulnerabilities.

One of the patched security flaws is an XML External Entity vulnerability in the ID3 library in PHP 8, which is used by WordPress.

Designed to parse ID3 tags from MP3 audio files, the library did not explicitly disable XML entities in PHP 8, which rendered WordPress 5.7 and older versions vulnerable to XXE attacks via MP3 file uploads.

Only WordPress deployments that use PHP 8 are affected, so the vast majority of websites are safe from exploitation attempts of this vulnerability.

The issue, WordPress explains, exists in a block in the WordPress editor, which could be exploited by attackers to expose password-protected posts and pages.

In an advisory on Friday, the Cybersecurity and Infrastructure Security Agency warned that the vulnerabilities addressed in WordPress 5.7.1 affect versions 4.7 to 5.7 and that attackers able to successfully exploit one of these could take control of an affected website.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/0Y5RHjmXLFA/wordpress-571-patches-xxe-flaw-php-8

#PHP #wordpress

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
PHP		21	24	308	218	84	634
Wordpress		49	36	409	104	29	578