A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that will could allow anyone to take down most WordPress websites even with an individual machine—without hitting which has a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same.
Since the company has denied patching the issue, the vulnerability (CVE-2018-6389) remains unpatched in addition to affects almost all versions of WordPress released in last nine years, including the latest stable Discharge of WordPress (type 4.9.2).
Discovered by Israeli security researcher Barak Tawily, the vulnerability resides inside the way “load-scripts.php,” a built-in script in WordPress CMS, processes user-defined requests.
However, to make “load-scripts.php” work on the admin login page (wp-login.php) before login, WordPress authors did not keep any authentication in place, eventually creating the feature accessible to anyone.
How WordPress DoS Attack Works
“There is usually a well-defined list ($wp_scripts), that will can be requested by users as part of the load parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value coming from the user,” Tawily says.
Although an individual request might not be enough to take down the whole website for its visitors, Tawily used a proof-of-concept (PoC) python script, doser.py, which makes large numbers of concurrent requests to the same URL in an attempt to use up as much of the target servers CPU resources as possible in addition to bring that will down.
The Hacker News has verified the authenticity of the DoS exploit that will successfully took down one of our demo WordPress websites running on a medium-sized VPS server.
“that will is usually time to mention again that will load-scripts.php does not require any authentication, an anonymous user can do so. After ~500 requests, the server didn’t respond at all any more, or returned 502/503/504 status code errors,” Tawily says.
However, attack coming from an individual machine, with some 40 Mbps connection, was not enough to take down another demo website running on a dedicated server with high processing power in addition to memory.
although that will doesn’t mean the flaw is usually not effective against WordPress websites running over a heavy-server, as application-level attack generally requires a lot fewer packets in addition to bandwidth to achieve the same goal—to take down a site.
So attackers with more bandwidth or a few bots can exploit This particular flaw to target big in addition to well-liked WordPress websites as well.
No Patch Available – Mitigation Guide
Along with the full disclosure, Tawily has also provided a video demonstration for the WordPress Denial of Service attack. You can watch the video to see the attack in action.
Knowing that will DoS vulnerabilities are out-of-scope coming from the WordPress bug bounty program, Tawily responsibly reported This particular DoS vulnerability to the WordPress team through HackerOne platform.
However, the company refused to acknowledge the issue, saying that will This particular kind of bug “should genuinely get mitigated at the server end or network level rather than the application level,” which is usually outside of WordPress’s control.
The vulnerability seems to be serious because WordPress powers nearly 29 percent of the Web, placing millions of websites vulnerable to hackers in addition to creating them unavailable for their legitimate users.
For websites that will can’t afford services offering DDoS protection against application-layer attacks, the researcher has provided a forked type of WordPress, which includes mitigation against This particular vulnerability.
However, I personally wouldn’t recommend users to install modified CMS, even if that will is usually coming from a trusted source additional than the original author.
Besides This particular, the researcher has also released a simple bash script that will fixes the issue, in case you have already installed WordPress.