CVE-2021-29447
WordPress Authenticated XXE attack when installation is running PHP 8Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
We have discovered 76,977 live websites that are affected by CVE-2021-29447.
Affected Software
| Product |  WordPress |
| Category | Content Management System |
| Vulnerable Domains | 76,977 live websites (0.89% of WordPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 18 versions ( 2.71% of all versions) |
Common Weakness Enumeration
CWE-611 Improper Restriction of XML External Entity ReferenceDetails
- Published - Apr 16, 2021
- Updated - Aug 3, 2024
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2021-29447 United States | 14,368 websites |
 Germany | 10,025 websites |
 Japan | 7,960 websites |
 Italy | 4,081 websites |
 France | 4,032 websites |
 Russia | 3,621 websites |
 Poland | 3,128 websites |
 GB | 2,621 websites |
 Netherlands | 2,450 websites |
 Spain | 2,323 websites |
Website Distribution by TLD
Number of websites using CVE-2021-29447| .com | 28,879 websites |
| .de | 6,186 websites |
| .ru | 2,935 websites |
| .org | 2,687 websites |
| .it | 2,600 websites |
| .pl | 2,371 websites |
| .net | 2,224 websites |
| .nl | 2,139 websites |
| .jp | 1,724 websites |
| .fr | 1,533 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2021-29447
Top websites that are affected by CVE-2021-29447. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.co |  Serbia | **,*** | |
| *****************.org | United States | **,*** | |
| *****.tv | **,*** | ||
| *********.***.au | United States | **,*** | |
| ******************.com | United States | **,*** | |
| *****.*******.org | United States | **,*** | |
| ***********.com | United States | **,*** | |
| ******.*******.org | United States | **,*** | |
| ***.edu | United States | **,*** | |
| *********.net | United States | **,*** |
FAQ
CVE-2021-29447 is Improper Restriction of XML External Entity Reference in WordPress
A total of 76,977 websites have been identified as vulnerable to CVE-2021-29447, based on global website indexing conducted by WebTechSurvey.
The WordPress is affected by the CVE-2021-29447 vulnerability.
WordPress versions up to 5.7.1 are vulnerable to CVE-2021-29447.
CVE-2021-29447 is resolved in version 5.7.1 of WordPress.
References
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
- https://wordpress.org/news/category/security/
- https://lists.debian.org/debian-lts-announce/2021/04/msg00017.html
- https://www.debian.org/security/2021/dsa-4896
- http://packetstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.html
- http://packetstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.html
- https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/