CVE-2021-29447
WordPress Authenticated XXE attack when installation is running PHP 8Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
We have discovered 100,858 live websites that are affected by CVE-2021-29447.
Affected Software
| Product |  WordPress |
| Category | Content Management System |
| Vulnerable Domains | 100,858 live websites (1.09% of WordPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 18 versions ( 1.93% of all versions) |
Common Weakness Enumeration
CWE-611 Improper Restriction of XML External Entity ReferenceDetails
- Published - Apr 16, 2021
- Updated - Aug 3, 2024
CWE
CVE References
CWE References
CVE-2021-29447 usage by Country
 United States | 24,494 websites |
 Germany | 14,757 websites |
 Japan | 9,114 websites |
 France | 6,211 websites |
 Russia | 4,485 websites |
 Poland | 4,084 websites |
 Netherlands | 3,120 websites |
 GB | 2,985 websites |
 Spain | 2,647 websites |
 Italy | 2,384 websites |
CVE-2021-29447 usage by TLD
| .com | 38,037 websites |
| .de | 8,013 websites |
| .ru | 3,891 websites |
| .org | 3,547 websites |
| .pl | 3,401 websites |
| .nl | 2,936 websites |
| .net | 2,877 websites |
| .co.uk | 2,028 websites |
| .fr | 2,024 websites |
| .jp | 2,017 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2021-29447
Top websites that are affected by CVE-2021-29447. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.com | United States | *,*** | |
| **********.com | France | *,*** | |
| **************.com | United States | **,*** | |
| *********.com | United States | **,*** | |
| ***********.ru | Russia | **,*** | |
| *******.co | Germany | **,*** | |
| *****************.org | Germany | **,*** | |
| *****.tv | Japan | **,*** | |
| *****.***.**.uk | United States | **,*** | |
| *********.***.au | United States | **,*** |
FAQ
CVE-2021-29447 is Improper Restriction of XML External Entity Reference in WordPress
A total of 100,858 websites have been identified as vulnerable to CVE-2021-29447, discovered through global website indexing conducted by WebTechSurvey.
WordPress is susceptible to CVE-2021-29447 vulnerability.
WordPress versions before 5.7.1 are vulnerable to CVE-2021-29447.
Version 5.7.1 of WordPress addresses the CVE-2021-29447 security vulnerability.
References
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
- https://wordpress.org/news/category/security/
- https://lists.debian.org/debian-lts-announce/2021/04/msg00017.html
- https://www.debian.org/security/2021/dsa-4896
- http://packetstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.html
- http://packetstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.html
- https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/