Attack Vectors

This Medium-severity vulnerability (CVSS 6.5) affects WordPress core (slug: wordpress) in versions up to and including 6.9.1. It can be triggered by an authenticated user with Author-level permissions or higher who is able to upload media.

The attacker’s path is to upload a specially crafted media file that contains XML metadata (notably iXML chunks in WAV/RIFF/AVI files). When WordPress processes the upload and reads metadata, the bundled getID3 library parses that embedded XML in a way that can allow local file disclosure via file:// references.

Security Weakness

WordPress core bundles the getID3 library for media metadata processing. In affected versions, XML parsing is performed with entity substitution enabled because the GETID3_LIBXML_OPTIONS constant includes the LIBXML_NOENT flag. This creates an XML External Entity (XXE) Injection condition when XML metadata is parsed from certain media formats.

As a result, XML entities can be expanded during parsing, which may allow an attacker to coerce the server into returning contents of local files referenced through file:// URIs.

Remediation: Update WordPress to 6.8.4, 6.9.2, or any newer patched version. Reference: Wordfence advisory.

Technical or Business Impacts

The primary risk described is confidentiality loss (consistent with the CVSS vector indicating High confidentiality impact). If exploited, an attacker may be able to disclose sensitive local files from the WordPress server, which can lead to exposure of secrets or data that enable follow-on compromise and fraud.

For business leaders, the most likely downstream impacts include: increased breach likelihood through exposed credentials or keys, potential customer or employee data exposure depending on what is accessible on the host, incident response cost, reputational damage, and potential compliance reporting obligations (e.g., if regulated data is involved).

Similar attacks: XXE has a long history across popular platforms and libraries. Examples include CVE-2021-29447 (WordPress XXE via media processing) and CVE-2018-1270 (Spring Web Services XXE).

To reduce exposure while you schedule patching, consider tightening who can upload media (and what types), reviewing Author/Contributor role assignments, and monitoring media upload activity for unusual patterns—especially if your WordPress instance supports multiple authors, guest posting workflows, or externally managed content operations.