To see an impressive example of how XEE vulnerabilities were found in some of the most popular websites in the world, have a look at http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution. Or, for a more recent example, check out this exploitation of Oracle Peoplesoft: https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce.