6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
Wordpress is vulnerable to XML external entity attack. A user with the ability to upload files (like an Author) is able to exploit an XML external entity vulnerability in the Media Library to retrieve arbitrary system files.
packetstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.html
packetstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.html
github.com/motikan2010/CVE-2021-29447
github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
lists.debian.org/debian-lts-announce/2021/04/msg00017.html
security-tracker.debian.org/tracker/CVE-2021-29447
wordpress.org/news/category/security/
wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5
www.debian.org/security/2021/dsa-4896
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N