The newly discovered XXE vulnerability affects WordPress versions prior to 5.7.1, allowing authenticated attackers to retrieve sensitive files on the host server, including database credentials in `wp-config.php`. The vulnerability is related to PHP 8 and requires specific permissions, making it exploitable with lower privileges than usual. The attack relies on exploiting a blind XXE technique, where an attacker injects malicious XML into WordPress's media library to extract sensitive file content from the host server. The vulnerability was fixed in WordPress version 5.7.1, which includes a patch that reintroduces the call to `libxml_disable_entity_loader()` deprecated in PHP 8. Developers can prevent similar code vulnerabilities by using `libxml_set_external_entity_loader()`, which allows more granular control over external entity loading. The incident highlights the importance of keeping software up-to-date and being cautious when handling user-controlled content in XML parsing scenarios.