Plone prior to 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role.
plone plone