Today, April 15th, 2021, WordPress released version 5.7.1, a security and maintenance release that reportedly patches two security vulnerabilities.
The WordPress release announcement lists the following two security vulnerabilities as being patched in version 5.7.1:
Let’s take a closer look at these vulnerabilities and see what other information we can find out about them.
They have been added to our database as the following:
- WordPress < 5.7.1 - XXE Within the Media Library Affecting PHP 8
- WordPress < 5.7.1 - Sensitive Data Exposure via REST API
WordPress < 5.7.1 - XXE Within the Media Library Affecting PHP 8
The ID3 library parses ID3 tags from MP3 audio files. ID3 tags are pieces of metadata about the MP3 audio files, such as the artists, song title, etc.
RIPS Technologies found and reported many serious security issues to WordPress over the years while in operation. We can assume that it is the same technology that identified this vulnerability.
The vulnerable code was patched by WordPress before it was patched in the ID3 library.
The WordPress patch can be found here and looks like this:
The code comment reads:
This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is disabled by default, but is still needed when LIBXML_NOENT is used.
So what does the patch do?
In the vulnerable version of the code, the ID3 library assumed that it was OK to not explicitly disable XML entities in PHP 8. Using the
libxml_disable_entity_loader() function in PHP 8 likely gave warnings about its deprecation.
However, one small, but important, detail is that XML entities must still be explicitly disabled if the
LIBXML_NOENT option is passed to the
simplexml_load_string() function, which in the case of ID3, it does. Thus leaving WordPress 5.7.1 and lesser versions that run on PHP version 8 vulnerable to XXE attacks through MP3 audio file uploads.
The vulnerability was introduced in the ID3 library on August 11th, 2020.
The patch to fix the vulnerability in the ID3 library can be found here.
That means that the vulnerability was exploitable for about eight months. But, according to WordPress’s own statistics only 0.3% of WordPress users use PHP 8.
WordPress < 5.7.1 - Sensitive Data Exposure via REST API
There are no details about this vulnerability at the time of writing, but we will update this page with further details as they become available.
It is not known what sensitive data could have been exposed or what REST API endpoint was affected.
This vulnerability was found and reported to WordPress by Mikael Korpela.
To ensure that you are secured against these vulnerabilities, upgrade to WordPress 5.7.1.