The XML vulnerability is present in WordPress and Drupal versions from 3.5 to 3.9.1. It basically exploits the use of entity expansion, this means that it replicates one large entity using a couple thousand characters repeatedly. The vulnerability is a problem related to the PHPs XML processor that was promptly fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. The PoC Exploit: (128MB Memory limit) is available at the address below”]
Source: https://securityaffairs.co/wordpress/27409/hacking/drupal-drupal-critical-flaw.html