Authenticated XXE


The WordPress core Media Library does not securely parse XML content when running on PHP 8. By uploading a malicious .wav file, an authenticated attacker can trigger a XXE vulnerability which enables to read secret system files, DoS the web server, perform SSRF, or aim at Remote Code Execution via Phar Deserialization.

Steps To Reproduce:


  • latest WordPress 5.6 installation
  • running on PHP 8
  • author user privileges in WordPress, or higher
  • another web server that is controlled by the attacker to retrieve leaked data

The vulnerability can be exploited by uploading a crafted .wav file. The attached archive contains such a .wav file with a payload for extracting the content of /etc/passwd by loading an external DTD. To reproduce:

  1. Adapt the address in the 2 files in the attached PoC archive to point to a web server that you control (and that is reachable from the targeted WordPress installation).
  2. For the .wav file, the address has to be adapted at 0x000338CD (best use a hex editor for this, doing that with a text editor might corrupt the file).
  3. Put the file xxe.dtd at the root of the webserver that you control.
  4. Login to WordPress as author and upload xxe.wav in the media library.
  5. The content of /etc/passwd will appear in the access logs of the web server base64 encoded (see attached screenshot).

Vulnerable Code:

The vulnerable code commit is the following:

if (PHP_VERSION_ID < 80000) {
// This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is
// disabled by default, so this function is no longer needed to protect against XXE attacks.
$loader = libxml_disable_entity_loader(true);
$XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT);

It was recently modified to accommodate for the deprecation of the libxml_disable_entity_loader() function in PHP 8. The mistake here is to rely on the fact that XXE is no longer possible by default in PHP 8 (as it requires libxml version > 2.9). This is true, but using the LIBXML_NOENT flag is certainly not the default. The flag explicitly activates entity substitution (the name of the flag might be a little misleading). So if user input reaches that point as part of the $XMLstring variable, XXE is possible.


An attacker can:

  • read secret system files, such as .htaccess or wp-config.php
  • DoS the web server via a malicious XML document, or by loading /dev/urandom via XXE
  • fingerprint and exploit services in the internal network by turning the XXE into SSRF
  • trigger a Phar Deserialization by using the phar:// stream wrapper within the XXE which can lead to further
  • vulnerabilities, depending on the gadget chains available in the WordPress core and its plugins.