WordPress isn’t going to patch it, either…
WordPress is the most popular Content Management System (CMS) in the entire world. In fact, WordPress powers 29% of the web. That’s why it’s alarming the company isn’t going to patch a DoS vulnerability that, when exploited, could easily bring down an entire website.
Let’s start back at the beginning.
That’s a lot to untangle, maybe this comparison will help. This script acts kind of like a project manager would: they manage a bunch of different inputs from different team members, then organize it into one coherent document before presenting it to management.
What is the WordPress Vulnerability?
Unfortunately, WordPress, in attempting to make “load-scripts.php” work on the admin login page, forgot to put authentication in place. That means that it’s accessible to anyone.
One attacker would likely not be able to take a site down on their own. But Tawily provides a Proof of Concept that showed what a distributed attack could accomplish. Hacker News independently confirmed the exploit. They used it to bring down a test site on a medium-sized server. It was unable to knock another site with a dedicated server offline.
That doesn’t mean the attack wouldn’t still be effective against a site with higher server power. It could still put considerable strain on the server’s resources.
WordPress to the Rescue… or not
Here’s where the story gets aggravating though, Tawily submitted the bug to WordPress, who promptly did nothing. WordPress has no plans to patch it. Their argument is that it should be handled at the server or network level.
Fortunately, Tawily produced a patch for WordPress users.
If you’re a WordPress user, this applies to you. It applies to every WordPress version for the past nine years—including the most recent one (4.9.2).
So maybe get on that.