There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the background(/api/admin/migrations/wordpress) need