1 week ago

Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites


A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that will could allow anyone to take down most WordPress websites even with an individual machine—without hitting which has a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same.

Since the company has denied patching the issue, the vulnerability (CVE-2018-6389) remains unpatched in addition to affects almost all versions of WordPress released in last nine years, including the latest stable Discharge of WordPress (type 4.9.2).

Discovered by Israeli security researcher Barak Tawily, the vulnerability resides inside the way “load-scripts.php,” a built-in script in WordPress CMS, processes user-defined requests.

For those unaware, load-scripts.php file has only been designed for admin users to help a website improve performance in addition to load page faster by combining (on the server end) multiple JavaScript files into an individual request.

However, to make “load-scripts.php” work on the admin login page (wp-login.php) before login, WordPress authors did not keep any authentication in place, eventually creating the feature accessible to anyone.

wordpress dos attack

Depending upon the plugins in addition to modules you have installed, the load-scripts.php file selectively calls required JavaScript files by passing their names into the “load” parameter, separated by a comma, like inside the following URL:


While loading the website, the ‘load-scripts.php’ (mentioned inside the head of the page) tries to find each JavaScript file name given inside the URL, append their content into an individual file in addition to then send back that will to the user’s web browser.

How WordPress DoS Attack Works


According to the researcher, one can simply force load-scripts.php to call all possible JavaScript files (i.e., 181 scripts) in one go by passing their names into the above URL, creating the targeted website slightly slow by consuming high CPU in addition to server memory.

“There is usually a well-defined list ($wp_scripts), that will can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value coming from the user,” Tawily says.

Although an individual request might not be enough to take down the whole website for its visitors, Tawily used a proof-of-concept (PoC) python script, doser.py, which makes large numbers of concurrent requests to the same URL in an attempt to use up as much of the target servers CPU resources as possible in addition to bring that will down.

The Hacker News has verified the authenticity of the DoS exploit that will successfully took down one of our demo WordPress websites running on a medium-sized VPS server.

“that will is usually time to mention again that will load-scripts.php does not require any authentication, an anonymous user can do so. After ~500 requests, the server didn’t respond at all any more, or returned 502/503/504 status code errors,” Tawily says.

However, attack coming from an individual machine, with some 40 Mbps connection, was not enough to take down another demo website running on a dedicated server with high processing power in addition to memory.


although that will doesn’t mean the flaw is usually not effective against WordPress websites running over a heavy-server, as application-level attack generally requires a lot fewer packets in addition to bandwidth to achieve the same goal—to take down a site.

So attackers with more bandwidth or a few bots can exploit This particular flaw to target big in addition to well-liked WordPress websites as well.

No Patch Available  – Mitigation Guide

Along with the full disclosure, Tawily has also provided a video demonstration for the WordPress Denial of Service attack. You can watch the video to see the attack in action.

Knowing that will DoS vulnerabilities are out-of-scope coming from the WordPress bug bounty program, Tawily responsibly reported This particular DoS vulnerability to the WordPress team through HackerOne platform.

However, the company refused to acknowledge the issue, saying that will This particular kind of bug “should genuinely get mitigated at the server end or network level rather than the application level,” which is usually outside of WordPress’s control.

The vulnerability seems to be serious because WordPress powers nearly 29 percent of the Web, placing millions of websites vulnerable to hackers in addition to creating them unavailable for their legitimate users.

For websites that will can’t afford services offering DDoS protection against application-layer attacks, the researcher has provided a forked type of WordPress, which includes mitigation against This particular vulnerability.

However, I personally wouldn’t recommend users to install modified CMS, even if that will is usually coming from a trusted source additional than the original author.

Besides This particular, the researcher has also released a simple bash script that will fixes the issue, in case you have already installed WordPress.

Article Categories:
Security Hacks

Leave a Comment

Your email address will not be published. Required fields are marked *

17 − sixteen =