• The XmlRpc package of Zend Framework is vulnerable to XML eXternal Entity Injection attacks (both server and client). The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections. Other software that uses the XmlRpc package of Zend Framework is then also vulnerable to XML eXternal Entity Injection attacks!

• Upgrade to the latest version of Zend Framework.

• • ZF2012-01: Local file disclosure via XXE injection in Zend_XmlRpc
  • XML eXternal Entity Injection (XXE) on PHP FPM

• 

• CVE-2012-3363

• CWE-611

• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

• Information Disclosure Known Vulnerabilities CVE-2015-5161

• WordPress Pingback Source URI Denial of Service and Information Disclosure Vulnerabilities (0.6.2 - 2.1.3)
• Dotenv .env file
• WordPress Plugin Contact Form 7 Database Information Disclosure (1.3)
• WordPress Plugin Easy Author Image Information Disclosure (1.5)
• WordPress Plugin WordPress Mobile Pack Information Disclosure (2.0.1)