weixin-python is vulnerable to XML External Entity (XXE) Injection. The vulnerability exists due to the parse
function in msg.py
and the to_xml
function in pay.py
because xml entities are allowed to be resolved, allowing an attacker to inject and execute malicious XML documents to perform requests on behalf of the server.