XML External Entity Injection via MP3 File Upload on WordPress
XML External Entity injection (XXE) is a vulnerability of the web security domain that allows an attacker to hinder the web application’s XML data processing techniques. A user with the ability to upload files on a WordPress Server can exploit an XML parsing issue in the Media Library leading to an XXE attack. A successful implementation of this XXE attack can lead to an attacker gaining access to the sensitive files like /etc/passwd of the file system.
- Understanding what is XML External Entity attack and mitigations to prevent it.
- Taking a look at WordPress and understanding the vulnerability being exploited.
- Mapping the affected versions of WordPress, its severity and mitigation.
- Setting up the lab environment and demonstration of how the attack works in WordPress.