XXE injection vulnerability in WordPress allows attackers to Steal Host Files

According to researchers, an XML External Entity (XXE) injection bug in WordPress could enable attackers to remotely steal a victim’s files.

The vulnerability was discovered by SonarSource security researchers, who published a blog post with technical information on the now-patched flaw.

It affects WordPress versions prior to 5.7.1.

On April 14th, 2021, WordPress released a security and maintenance update to fix the vulnerability and secure its users.



An attacker may use an XXE vulnerability to disrupt an application’s XML data processing. This allows them to communicate with any back-end or external systems that the application can access, as well as display files on the application server’s filesystem.

The XXE bug was present in WordPress versions 5.7 and lower in this case, and it may have allowed for remote arbitrary file disclosure and server-side request forgery (SSRF).


Disclosure: Our content is reader-supported, which means that if you click on some of our links that we may earn a commission.