Today, April 15th, 2021, WordPress released version 5.7.1, a security and maintenance release that reportedly patches two security vulnerabilities.
The WordPress release announcement lists the following two security vulnerabilities as being patched in version 5.7.1:
Thank you SonarSource for reporting an XXE vulnerability within the media library affecting PHP 8. Thanks Mikael Korpela for reporting a data exposure vulnerability within the REST API.
Let’s take a closer look at these vulnerabilities and see what other information we can find out about them.
They have been added to our database as the following:
- WordPress < 5.7.1 – XXE Within the Media Library Affecting PHP 8
- WordPress < 5.7.1 – Sensitive Data Exposure via REST API
WordPress < 5.7.1 – XXE Within the Media Library Affecting PHP 8
This vulnerability was an XML External Entity (XXE) vulnerability affecting the ID3 PHP library, which WordPress uses.
The ID3 library parses ID3 tags from MP3 audio files. ID3 tags are pieces of metadata about the MP3 audio files, such as the artists, song title, etc.
This vulnerability was found and reported to WordPress by a company called SonarSource. The same company that recently acquired the PHP Static Code Analysis company, RIPS Technologies.
RIPS Technologies found and reported many serious security issues to WordPress over the years while in operation. We can assume that it is the same technology that identified this vulnerability.
The vulnerable code was patched by WordPress before it was patched in the ID3 library.
The WordPress patch can be found here and looks like this:
The code comment reads:
This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is disabled by default, but is still needed when LIBXML_NOENT is used.
So what does the patch do?
In the vulnerable version of the code, the ID3 library assumed that it was OK to not explicitly disable XML entities in PHP 8. Using the libxml_disable_entity_loader() function in PHP 8 likely gave warnings about its deprecation.
However, one small, but important, detail is that XML entities must still be explicitly disabled if the LIBXML_NOENT option is passed to the simplexml_load_string() function, which in the case of ID3, it does. Thus leaving WordPress 5.7.1 and lesser versions that run on PHP version 8 vulnerable to XXE attacks through MP3 audio file uploads.
This vulnerability was assigned CVE-2021-29447.
- The vulnerability was introduced in the ID3 library on August 11th, 2020.
- The patch to fix the vulnerability in the ID3 library can be found here.
That means that the vulnerability was exploitable for about eight months. But, according to WordPress’s own statistics only 0.3% of WordPress users use PHP 8.
WordPress < 5.7.1 – Sensitive Data Exposure via REST API
One of the blocks in the WordPress editor could be exploited in a way that exposes password-protected posts and pages. This required at least contributor privileges.
This vulnerability was found and reported to WordPress by Mikael Korpela.
This vulnerability was assigned CVE-2021-29450.
Staying Secure
To ensure that you are secured against these vulnerabilities, upgrade to WordPress 5.7.1.
To be notified when these vulnerabilities are added to our WordPress vulnerability database, install our WordPress Security Plugin.
