Sonar's writeup of the WordPress 5.7 XXE is a textbook example of why XML parsing in 2026 still deserves attention. It's also a useful piece of evidence next time someone tells you "WordPress core is fine, only the plugins are risky."

The bug, briefly

WordPress 5.7 introduced a code path that processed user-supplied XML through PHP's libxml-based parser without disabling external entity loading. An authenticated user with the ability to upload media could submit a crafted file containing a reference to an external entity, and the parser would resolve it — meaning the server would happily fetch and inline contents from any path the parser could read, including /etc/passwd and the always-popular wp-config.php.

The fix was small: pass the right loader flags into the XML parser so external entities are not resolved.

Why it matters even though it's patched

Three reasons it's still worth knowing about:

  1. Old sites still exist. WordPress installs frozen on 5.7 because of a custom theme that broke under 5.8 are not rare. If you run one, the XXE is still there.
  2. The pattern repeats. Every time a piece of XML enters a CMS — RSS importers, oEmbed, sitemap fetchers, OPML uploads — there's a chance the parser was configured permissively. We see this in plugins almost every quarter.
  3. The blast radius from a single user account. "Authenticated" sounds like a high bar until you remember that on many WordPress sites, low-privileged accounts are easy to create (open registration, woocommerce customer accounts, etc.). An XXE that requires only a logged-in session is a much bigger deal than an admin-only XXE.

What to check

  • Confirm WordPress core is at least 5.7.2 (the version that patched it). wp core version or look at wp-includes/version.php.
  • For older PHP / older WP installs, search for loadXML, simplexml_load_string, DOMDocument::load across the codebase, and check whether the surrounding code passes LIBXML_NOENT | LIBXML_DTDLOAD (bad) or explicitly disables external entities. Plugins are the more interesting hunting ground.
  • Logs: requests with content-type application/xml going to media-upload or import endpoints, especially ones with <!ENTITY or SYSTEM substrings in the body, are worth a look.

If your site is still on a frozen WordPress version because of a theme constraint, the fix isn't to "stay there carefully" — it's to fix the theme. We can help with either side (cleanup, hardening).

Source: Sonar — WordPress 5.7 XXE Security Vulnerability.