A severe security vulnerability—specifically an XXE Injection vulnerability—has been discovered in WordPress.
This bug is pretty severe, and allows attackers to remotely steal files from any WordPress host.
This vulnerability also affects WordPress versions prior to 5.7.1.
What Do XXE Injection Vulnerability Attacks Do?
Remote attackers are able to perform the following attacks:
- Disclosure of Arbitrary Files: This means that basically the contents of any file on a WordPress host system can be retrieved. One such example of a file that can be retrieved is wp-config.php, which contains sensitive database credentials.
- Server-Side Request Forgery (SSRF): In this attack, hackers use the WordPress installation to make HTTP requests. If the security of certain environments is not fully locked down, this may have a serious impact.
Thankfully, WordPress issued a security patch on April 14, 2021.
Sonar Source reported the following technical details behind the attack:
Install the Patch and Upgrade!
As always, we recommend installing the latest patch and updating whenever possible.
You don’t want someone with nefarious intentions to access your files and destroy your website.
Believe us! We don’t want to see that happen to your website either.