A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform which could allow anyone to take down most WordPress websites even with just one machine—without hitting using a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same.
Since the company has denied patching the issue, the vulnerability (CVE-2018-6389) remains unpatched as well as also affects almost all versions of WordPress released in last nine years, including the latest stable Discharge of WordPress (edition 4.9.2).
Discovered by Israeli security researcher Barak Tawily, the vulnerability resides inside way “load-scripts.php,” a built-in script in WordPress CMS, processes user-defined requests.
However, to make “load-scripts.php” work on the admin login page (wp-login.php) before login, WordPress authors did not keep any authentication in place, eventually generating the feature accessible to anyone.
How WordPress DoS Attack Works
“There will be a well-defined list ($wp_scripts), which can be requested by users as part of the load parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value coming from the user,” Tawily says.
Although just one request could not be enough to take down the whole website for its visitors, Tawily used a proof-of-concept (PoC) python script, doser.py, which makes large numbers of concurrent requests to the same URL in an attempt to use up as much of the target servers CPU resources as possible as well as also bring the item down.
The Hacker News has verified the authenticity of the DoS exploit which successfully took down one of our demo WordPress websites running on a medium-sized VPS server.
“the item will be time to mention again which load-scripts.php does not require any authentication, an anonymous user can do so. After ~500 requests, the server didn’t respond at all any more, or returned 502/503/504 status code errors,” Tawily says.
However, attack coming from just one machine, with some 40 Mbps connection, was not enough to take down another demo website running on a dedicated server with high processing power as well as also memory.
yet which doesn’t mean the flaw will be not effective against WordPress websites running over a heavy-server, as application-level attack generally requires a lot fewer packets as well as also bandwidth to achieve the same goal—to take down a site.
So attackers with more bandwidth or a few bots can exploit This particular flaw to target big as well as also well-liked WordPress websites as well.
No Patch Available – Mitigation Guide
Along with the full disclosure, Tawily has also provided a video demonstration for the WordPress Denial of Service attack. You can watch the video to see the attack in action.
Knowing which DoS vulnerabilities are out-of-scope coming from the WordPress bug bounty program, Tawily responsibly reported This particular DoS vulnerability to the WordPress team through HackerOne platform.
However, the company refused to acknowledge the issue, saying which This particular kind of bug “should truly get mitigated at the server end or network level rather than the application level,” which will be outside of WordPress’s control.
The vulnerability seems to be serious because WordPress powers nearly 29 percent of the Web, placing millions of websites vulnerable to hackers as well as also generating them unavailable for their legitimate users.
For websites which can’t afford services offering DDoS protection against application-layer attacks, the researcher has provided a forked edition of WordPress, which includes mitigation against This particular vulnerability.
However, I personally wouldn’t recommend users to install modified CMS, even if the item will be coming from a trusted source additional than the original author.
Besides This particular, the researcher has also released a simple bash script which fixes the issue, in case you have already installed WordPress.