WordPress Security: OWASP 2017 - A4 XML External Entities (XXE)
XXE attacks exploit XML processors by executing malicious XML files. This can be exploited by attackers if a web-based application allows its user to upload XML files.
WordPress inherently disables custom XML loading. This prevents External Entity and Entity Expansion attacks.
Reference: