WordPress Security: OWASP 2017 - A4 XML External Entities (XXE)

XXE attacks exploit XML processors by executing malicious XML files. This can be exploited by attackers if a web-based application allows its user to upload XML files.

WordPress inherently disables custom XML loading. This prevents External Entity and Entity Expansion attacks.


OWASP 2017: XML External Entities