CVE-2021-29447: 
NixOS vulnerability analysis and mitigation

A high-severity XML External Entity (XXE) vulnerability (CVE-2021-29447) was discovered in WordPress versions 5.6 to 5.7. The vulnerability affects WordPress installations running on PHP 8 and allows authenticated users with file upload permissions (such as Authors) to exploit an XML parsing issue in the Media Library. The vulnerability was discovered in early 2021 and was patched in WordPress version 5.7.1, released on April 14, 2021 (WordPress Security, GitHub Advisory).

The vulnerability exists in WordPress's use of the getID3 library for parsing metadata from media files. When parsing WAVE audio files' iXML chunks, the code uses simplexmlloadstring() with the LIBXMLNOENT flag, which enables entity substitution. In PHP 8, the previous protection mechanism (libxmldisableentityloader()) was deprecated because newer PHP versions use Libxml2 v2.9+ which disables external entity fetching by default. However, the LIBXML_NOENT flag explicitly enables entity substitution, making XXE attacks possible again (Sonar Blog).

The vulnerability allows attackers to achieve arbitrary file disclosure, potentially exposing sensitive files such as wp-config.php which contains database credentials and other configuration details. Additionally, it enables Server-Side Request Forgery (SSRF), allowing attackers to make HTTP requests on behalf of the WordPress installation, which could have serious implications depending on the environment (SecurityWeek, Sonar Blog).

The vulnerability was patched in WordPress version 5.7.1, along with backported fixes for older affected versions (5.6.x). The fix reintroduced the libxmldisableentity_loader() function call even for PHP 8, using the error suppressing operator @ to avoid deprecation warnings. Users are strongly recommended to update to the patched versions and keep auto-updates enabled (GitHub Advisory, Debian Security).