Korean

<< Back VID 22990 Severity 30 Port 80, ... Protocol TCP Class CGI Detailed Description According to its self-reported version number, the installation of WordPress installed on the remote host is affected by multiple vulnerabilities: - A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled. (CVE-2021-29447) - One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. (CVE-2021-29450) * References: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq https://lists.debian.org/debian-lts-announce/2021/04/msg00017.html https://wordpress.org/news/category/security/ Vendor Advisory https://www.debian.org/security/2021/dsa-4896 http://packetstormsecurity.com/files/163148/XML-External-Entity-Via-MP3-File-Upload-On-WordPress.html http://packetstormsecurity.com/files/164198/WordPress-5.7-Media-Library-XML-Injection.html https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh https://lists.debian.org/debian-lts-announce/2021/04/msg00017.html https://wordpress.org/news/category/security/ https://www.debian.org/security/2021/dsa-4896 * Platforms Affected: WordPress prior to 5.7.0 Any operating system Any version Recommendation Upgrade to the version (5.7.0 or later) fixed this vulnerability, available from the WordPress Download Web page at http://wordpress.org/download/ Related URL CVE-2021-29447,CVE-2021-29450 (CVE) Related URL (SecurityFocus) Related URL (ISS)